Publications

Does your staffing firm have a written information security program (WISP)? As the threat of cyber-attacks is on the rise, staffing clients, employees and job candidates expect that staffing firms will maintain the privacy and security of their confidential personal information, including Social Security numbers, driver's license and other government-issued identification card numbers, bank account information, and credit and debit card numbers. Staffing firms may possess some or all of these types of sensitive information. A well-designed and well-implemented WISP could lead to better security awareness among staffing firms’ principals and employees, better client relations, and reduce potential legal liability in the event of a data breach.

In addition, if a firm does not already have a WISP, it could be in violation of the law, regardless of the firm’s physical location and size. For example, a Massachusetts regulation titled 201 CMR 17.00 known as “Standards for the Protection of Personal Information of Residents of the Commonwealth”, requires businesses to establish a WISP that provides for the safeguarding of certain personal information of Massachusetts residents. Importantly, as long as the firm possesses protected personal information about a resident of Massachusetts, this regulation will apply even if the firm does not have a physical presence in state. Other states will likely follow Massachusetts’s lead and enact their own statutes or regulations that require WISPs.

Moreover, even if staffing firms are not otherwise bound by law or regulation to do so, their clients may contractually require them to implement a WISP, particularly if the clients operate in industries that have strong data privacy regulations, such as healthcare and financial services.

What is a WISP? It is a document that describes the measures that a firm takes to protect the security and confidentiality of personal and other sensitive information it collects and maintains. To create and follow through on an effective WISP, firms should at the minimum consider the following:

• identifying reasonably foreseeable internal and external risks to the security, confidentiality and integrity of electronic and paper documents containing personal information;
• assessing the likelihood and potential damage of these risks;
• evaluating the sufficiency of your firm’s existing policies, procedures and other safeguards in place to control risks;
• developing additional security policies relating to the storage, access and transportation of records containing personal information;
• designating one or more employees to maintain the information security program;
• preventing terminated employees from accessing records containing personal information;
• providing for the oversight of service providers; and
• making modifications to your security policies and procedures as necessary.

For more information on the topic discussed, contact:

• Joel A. Klarreich  |  jak@thsh.com  |  212-508-6747
• Jason B. Klimpl  |  klimpl@thsh.com  |  212-508-7529
• Andrew W. Singer  |  singer@thsh.com  |  212-508-6723
• Stacey A. Usiak  |  usiak@thsh.com  |  212-702-3158