Checklist based on Massachusetts requirements but they will be similar for most states.
Use this checklist to determine if a WISP is required for your business under M.G.L. c. 93H and 201 CMR 17.00. Once you know if you need a WISP you can see the requirements inside a WISP at: https://www.mass.gov/files/documents/2017/11/21/compliance-checklist.pdf
Step 1: Does Your Business Collect or Store Personal Information (PII) of Massachusetts Residents?
A business must have a WISP if it owns, licenses, or maintains any of the following for Massachusetts residents information:
☐ First name and last name OR first initial and last name, in combination with:
- ☐ Social Security Number (SSN)
- ☐ Driver’s license number or state-issued ID number
- ☐ Financial account number, credit card number, or debit card number (with or without access codes or passwords)
If you checked any box above, a WISP is required.
If no PII is collected, proceed to Step 2.
Step 2: Does Your Business Store or Transmit Employee PII (Including I-9 Forms)?
If your business has Massachusetts employees, you likely store PII for payroll, tax, or HR purposes, including:
☐ Employee Social Security Numbers (SSN)
☐ Employee bank account details for direct deposit
☐ Employee driver’s license numbers or state-issued IDs
☐ Employee I-9 Employment Eligibility Forms, which contain:
- ☐ Social Security Number (if provided)
- ☐ Passport number or Permanent Resident Card number
- ☐ Driver’s license or other government-issued ID copy
If you checked any box above, a WISP is required.
If your business has no employees OR does not collect this data, proceed to Step 3.
Step 3: Does Your Business Work with Third-Party Vendors That Handle PII?
Even if you do not store PII, a WISP is required if you use third-party services that process or store PII on your behalf.
Do you use any of the following vendors for Massachusetts residents’ PII?
☐ Payroll services (e.g., ADP, Paychex)
☐ HR/Benefits processing (e.g., Gusto, TriNet, Justworks)
☐ Credit card processing (e.g., Square, Stripe, PayPal, Clover)
☐ Cloud storage or IT vendors that store PII
☐ Third-party marketing firms that collect customer data
If you checked any box and your vendor handles Massachusetts PII, a WISP is required.
If your business does not use vendors to process PII, proceed to Step 4.
Step 4: Does Your Business Collect Customer Payment Information?
☐ Do you accept credit or debit card payments?
- If YES, does your business store customers’ payment information instead of using a third-party processor?
- ☐ YES → WISP required
- ☐ NO → Proceed to Step 5
☐ Do you collect bank account information for recurring payments?
- ☐ YES → WISP required
- ☐ NO → Proceed to Step 5
If your business only uses third-party processors (e.g., PayPal, Stripe, Square) and does not store card details, you may not need a WISP for payments.
Step 5: Business Type Evaluation – Likely Exempt from WISP?
A business is likely exempt from WISP requirements if all of the following apply:
Your business does not collect Massachusetts resident names + SSN, driver’s license, or bank account info.
Your business has no employees or only hires non-Massachusetts employees.
Note: Other states may require their own version of a WISP or data security policy. If you hire employees in other states, check their cybersecurity and data protection laws.
Your business only works with other businesses (B2B) and does not store customer PII.
Your business only accepts payments through third-party processors and does not store credit card or bank info.
Your business does not outsource payroll, HR, or IT services that handle PII.
Your business only handles corporate EINs, vendor names, and business information, but no personal PII.
Final Decision: Does Your Business Need a WISP?
- If you checked ANY box in Steps 1-4 → You need a WISP.
- If you ONLY checked boxes in Step 5 → You may be exempt.
Need Help with a WISP?
If you need a WISP, jIT Solutions can help create a customized WISP that meets Massachusetts (and other) compliance standards. We have the tools and resources needed to walk through the WISP Compliance checklist https://www.mass.gov/files/documents/2017/11/21/compliance-checklist.pdf for your business and help make you compliant. Becoming compliant is a journey, so it will take some time but…
Note: it is not as expensive as you may think. We have created and integrated with some amazing tools to simplify this process. Contact: jIT Solutions |
508-947-1478
Discover more from JiT Solutions IT
Subscribe to get the latest posts sent to your email.