This is a guest post that was written by Joel Goloskie, Esq. Joel is Senior Counsel with Pannone, Lopes, Devereaux, & O'Gara in Boston. Joel is a member of the firms Healthcare, Litigation, and Corporate & Business Teams. Joel advises and assists his clients on the various international, federal, and state cybersecurity issues, with a focus on helping clients monetize innovative uses of data while remaining compliant with slowly-evolving regulatory regimes. For more information on Joel, please visit his profile on the Pannone, Lopes, Devereaux, & O'Gara website or feel free to contact him at firstname.lastname@example.org.
For businesses that maintain data on customers or, increasingly, their own employees, the term “WISP” should be familiar. A WISP, or Written Information Security Program, is the document by which an entity spells out the administrative, technical and physical safeguards by which it protects the privacy of the personally identifiable information it stores. Healthcare entities subject to HIPAA have long-since become accustomed to not merely developing their own WISPs, but requiring the same of any business associate with which they share patient information. Similarly, banking, insurance and financial institutions have for years developed WISPs in response to their industries’ privacy requirements.