Checklist based on Massachusetts requirements but they will be similar for most states.

Use this checklist to determine if a WISP is required for your business under M.G.L. c. 93H and 201 CMR 17.00. Once you know if you need a WISP you can see the requirements inside a WISP at: https://www.mass.gov/files/documents/2017/11/21/compliance-checklist.pdf

Step 1: Does Your Business Collect or Store Personal Information (PII) of Massachusetts Residents?

A business must have a WISP if it owns, licenses, or maintains any of the following for Massachusetts residents information:

☐ First name and last name OR first initial and last name, in combination with:

• ☐ Social Security Number (SSN)
• ☐ Driver’s license number or state-issued ID number
• ☐ Financial account number, credit card number, or debit card number (with or without access codes or passwords)

If you checked any box above, a WISP is required.

If no PII is collected, proceed to Step 2.

Step 2: Does Your Business Store or Transmit Employee PII (Including I-9 Forms)?

If your business has Massachusetts employees, you likely store PII for payroll, tax, or HR purposes, including:

☐ Employee Social Security Numbers (SSN)
☐ Employee bank account details for direct deposit
☐ Employee driver’s license numbers or state-issued IDs
☐ Employee I-9 Employment Eligibility Forms, which contain:

• ☐ Social Security Number (if provided)
• ☐ Passport number or Permanent Resident Card number
• ☐ Driver’s license or other government-issued ID copy

If you checked any box above, a WISP is required.

If your business has no employees OR does not collect this data, proceed to Step 3.

Step 3: Does Your Business Work with Third-Party Vendors That Handle PII?

Even if you do not store PII, a WISP is required if you use third-party services that process or store PII on your behalf.

Do you use any of the following vendors for Massachusetts residents’ PII?

☐ Payroll services (e.g., ADP, Paychex)
☐ HR/Benefits processing (e.g., Gusto, TriNet, Justworks)
☐ Credit card processing (e.g., Square, Stripe, PayPal, Clover)
☐ Cloud storage or IT vendors that store PII
☐ Third-party marketing firms that collect customer data

If you checked any box and your vendor handles Massachusetts PII, a WISP is required.

If your business does not use vendors to process PII, proceed to Step 4.

Step 4: Does Your Business Collect Customer Payment Information?

☐ Do you accept credit or debit card payments?

• If YES, does your business store customers’ payment information instead of using a third-party processor?
  • ☐ YES → WISP required
  • ☐ NO → Proceed to Step 5

☐ Do you collect bank account information for recurring payments?

• ☐ YES → WISP required
• ☐ NO → Proceed to Step 5

If your business only uses third-party processors (e.g., PayPal, Stripe, Square) and does not store card details, you may not need a WISP for payments.

Step 5: Business Type Evaluation – Likely Exempt from WISP?

A business is likely exempt from WISP requirements if all of the following apply:

✅ Your business does not collect Massachusetts resident names + SSN, driver’s license, or bank account info.
✅ Your business has no employees or only hires non-Massachusetts employees.

• ⚠ Note: Other states may require their own version of a WISP or data security policy. If you hire employees in other states, check their cybersecurity and data protection laws.
  ✅ Your business only works with other businesses (B2B) and does not store customer PII.
  ✅ Your business only accepts payments through third-party processors and does not store credit card or bank info.
  ✅ Your business does not outsource payroll, HR, or IT services that handle PII.
  ✅ Your business only handles corporate EINs, vendor names, and business information, but no personal PII.

📌 Final Decision: Does Your Business Need a WISP?

• If you checked ANY box in Steps 1-4 → You need a WISP.
• If you ONLY checked boxes in Step 5 → You may be exempt.

Need Help with a WISP?

🔹 If you need a WISP, jIT Solutions can help create a customized WISP that meets Massachusetts (and other) compliance standards. We have the tools and resources needed to walk through the WISP Compliance checklist https://www.mass.gov/files/documents/2017/11/21/compliance-checklist.pdf for your business and help make you compliant. Becoming compliant is a journey, so it will take some time but…
Note: it is not as expensive as you may think. We have created and integrated with some amazing tools to simplify this process.
📞 Contact: jIT Solutions | 📞 508-947-1478