Aug 15, 201711:59 AMLegal Login
with Mindi Giftos and Andrew Schlidt
WISP it good: Composing a data security plan
(page 1 of 2)
In its 1980 hit song “Whip It,” the American new wave band Devo espoused a certain sunny optimism for overcoming problems that life may send your way. That catchy tune continues to speak to us today as we grapple with contemporary business problems. Atop the hit list of most urgent business threats is the growing crescendo of data security risk.
When it comes to managing data security, many in business hit a flat note. To be honest, most businesses do not treat data security as a priority. Perhaps it’s the perceived expense involved. Maybe it’s a fear of the unknown. As with all business risks, there is a judgment to be made — whether or not to roll the dice and chance it. Normally the law allows a business to make this type of judgment, but that’s no longer the case with data security.
For every business, there is now a law in the United States that requires the business to secure any non-public third-party data that it possesses. The law may be in the form of a state or federal statute, or in the nature of a common law obligation as determined by an applicable court. In all cases, data security is no longer a business choice, but rather a legal obligation.
Most data security laws now require companies to implement a data security plan and to memorialize the plan in writing. These plans are generically referred to as “Written Information Security Plans” or “WISPs.” A WISP is helpful in several ways. First, it forces a company to evaluate its current security environment. Second, it creates a roadmap for implementing and managing a security plan. Lastly, it provides a written record — evidence — that the company is taking steps to secure its data in compliance with law. For these reasons, a WISP is both a good business decision and a sound method of documenting an organization’s compliance efforts.