Written Information Security Program (WISP)
A formal, documented information security program required by Massachusetts regulation 201 CMR 17.00 for any entity that owns or licenses personal information about a Massachusetts resident — regardless of where the entity is located.
Overview
A Written Information Security Program (WISP) is a comprehensive, written set of administrative, technical, and physical safeguards an entity adopts to protect personal information. Massachusetts regulation 201 CMR 17.00, first issued in 2010 and still the most detailed prescriptive state security regulation in the US, requires any person or entity that "owns or licenses" personal information about a Massachusetts resident to develop, implement, and maintain a WISP.
The regulation is extraterritorial — it does not matter where the business is located, where the data is stored, or where the processing occurs. If a single Massachusetts resident's personal information is in the dataset, the full 201 CMR 17.00 apparatus applies.
The WISP must be appropriate to the size, scope, and type of business; the resources available; the amount of stored data; and the need for security. A two-person consultancy and a Fortune 500 financial institution are both required to have a WISP, but the content will look very different.
When It Applies
A WISP is required when all of the following are true:
- The entity is a person or entity (no size threshold)
- The entity owns or licenses (collects, processes, stores, or transmits) personal information
- The personal information is about a Massachusetts resident — the regulation is triggered by residency of the data subject, not by the location of the controller
"Personal information" under 201 CMR 17.02 is defined as a resident's first name or initial + last name combined with any of: Social Security number, driver's license number, state-issued ID number, financial account number, credit or debit card number (with or without a security code).
Required Elements of a WISP
Under 201 CMR 17.03 and 17.04, a compliant WISP must include:
| Element | Specific Requirement |
|---|---|
| Designated security officer | One or more individuals responsible for the program |
| Risk assessment | Identification of foreseeable internal and external risks |
| Employee training | Regular training on the WISP and appropriate practices |
| Access restrictions | Limit access on a need-to-know basis; immediate termination of departed personnel |
| Third-party oversight | Verify that service providers apply comparable safeguards; written contracts |
| Regular monitoring | Ongoing review of safeguards; post-incident review; annual program review |
| Incident response | Documented procedures for breach detection, response, and post-mortem |
| Encryption in transit | Required for personal information transmitted across public networks or wirelessly |
| Encryption at rest | Required on portable devices (laptops, USB drives, backup tapes) |
| Authentication controls | Secure user authentication protocols; password management |
| System security | Up-to-date firmware, firewall protection, malware protection, patch management |
| Physical security | Physical access controls to systems and records |
Variations Across Jurisdictions
Massachusetts is unique in the prescriptive specificity of 201 CMR 17.00. Other states impose information-security obligations but at a higher level of abstraction:
| Jurisdiction | Security Law | Prescriptive? |
|---|---|---|
| Massachusetts | 201 CMR 17.00 | Yes — itemized control list |
| New York | SHIELD Act | Partial — requires "reasonable" administrative, technical, physical safeguards with examples |
| Georgia | Insurance Data Security Act | Yes — for insurance licensees; follows NAIC Model Law |
| South Carolina | Insurance Data Security Act | Yes — for insurance licensees; follows NAIC Model Law |
| Ohio | Data Protection Act (SB 220) | Voluntary — safe harbor incentive, not obligation |
| California, Virginia, Colorado, 17 other comprehensive states | Reasonable security clause | No — general "appropriate" or "reasonable" standard |
Massachusetts also couples 201 CMR 17.00 with chapter 93A — its consumer-protection statute — so violations can trigger treble damages via private action, making the WISP one of the more consequential security regulations in the country despite the relatively small state population.
How Inori Handles This
Because Inori's customer base includes commercial real estate operators with Massachusetts properties — and vendors, tenants, and certificate holders with Massachusetts residency — the platform processes personal information about Massachusetts residents and falls squarely within 201 CMR 17.00.
Grounding in code and policy:
- Designated security officer — documented in
src/content/legal/privacy.mdxv1.2 with a dedicatedsecurity@contact. - Access restrictions — Supabase Row Level Security (
supabase/migrations/002_rls_policies.sql) andapp_tenant_id()enforcement (migration012_harden_app_tenant_id.sql) limit access to authenticated users within their tenant scope. - Encryption — all traffic is TLS 1.2+; Supabase Cloud encrypts data at rest; Firebase App Hosting enforces HTTPS-only.
- Authentication — Supabase Auth with session timeout and login-lockout per
inori-security-audit-2026-04-12.md. - Third-party oversight — every subprocessor operates under a DPA with equivalent-safeguards language (see DPA).
- Incident response — the breach-notification playbook in
src/lib/incident/meets the strictest state notice window and generates the documentation 201 CMR 17.03(2)(j) requires. - Monitoring and review — the error-catalog cron plus
src/app/api/admin/errorsprovide the ongoing-monitoring evidence the regulation expects.
Related Concepts
A WISP is the security layer; the DPA is the contractual layer that extends WISP-equivalent obligations to processors. The WISP is a primary input to the security sections of a DPIA. In the insurance-vendor context, WISP posture is one of the safeguards an underwriter may evaluate when issuing or renewing the Certificate of Insurance — the two instruments together attest to the vendor's operational and cyber-risk readiness.
See how Inori handles written information security program (wisp)
Try our free COI checker first, or start a free trial of the full platform.