WISP for California Businesses: Who Needs One and How to Build It

Here’s something most California business owners don’t know: if your company collects personal information from customers, employees, or clients, you almost certainly need a WISP. That’s a Written Information Security Program. It’s a document that spells out exactly how your business protects sensitive data, who’s responsible for what, and what happens when something goes wrong.

Most businesses don’t have one. The ones that do often have a template they downloaded from the internet five years ago and never updated. Neither of those is a good situation, and both can cost you real money when something goes sideways.

What Is a WISP?

A WISP is a comprehensive, written document that describes your organization’s information security practices. It covers the administrative, technical, and physical safeguards you have in place to protect personal information. Think of it as the master plan for how your business handles data security.

It’s not a one-page policy you stick in a binder. A proper WISP includes your security policies, your procedures for implementing them, the roles and responsibilities of your team, how you assess and manage risk, and how you respond to incidents. It’s a living document that should be reviewed and updated at least annually.

Who Needs a WISP in California?

The short answer is: more businesses than you think.

California Consumer Privacy Act (CCPA/CPRA). If your business meets the CCPA thresholds, you’re expected to implement “reasonable security procedures and practices.” While the CCPA doesn’t explicitly use the word “WISP,” courts and regulators interpret this to mean you need documented security policies. If you get breached and you don’t have a written program, good luck arguing you had “reasonable” security.

FTC Safeguards Rule. If you’re a financial institution (which the FTC defines very broadly to include tax preparers, auto dealers arranging financing, insurance agencies, and more), you need a comprehensive information security program. In writing. We go deeper on this in our post on cybersecurity for accounting firms, since CPA firms are squarely in the crosshairs.

HIPAA. Healthcare providers and their business associates need documented security policies as part of HIPAA compliance. A WISP covers the administrative safeguard requirements.

IRS Publication 4557. If you’re a tax preparer, the IRS explicitly requires a WISP. They released a template and have made it clear that firms without one are out of compliance.

Industry contracts. Even if no law explicitly requires you to have a WISP, your clients might. We work with a professional services firm that lost a contract bid because they couldn’t produce a written security program when the prospect’s procurement team asked for one. That’s happening more and more.

California Civil Code Section 1798.81.5. This is the one most people miss. It requires any business that owns, licenses, or maintains personal information about California residents to “implement and maintain reasonable security procedures and practices.” Regulators and plaintiff attorneys are increasingly interpreting “reasonable” to require written documentation.

The bottom line: if your California business handles personal data of any kind, names, Social Security numbers, financial account information, health information, email addresses with passwords, you should have a WISP.

What Goes Into a WISP?

A solid WISP isn’t vague. It’s specific to your business. Here’s what it should cover:

Purpose and Scope

Define what the WISP covers, what types of data you’re protecting, and which systems and people are in scope. A dental office with two locations has a very different scope than a regional accounting firm with remote employees.

Designated Security Coordinator

Someone has to own it. Name a specific person (or role) responsible for implementing and maintaining the program. For small businesses, this is often the owner or office manager. For businesses with a managed IT partner, it can be your MSP’s designated contact, but internal accountability still matters.

Risk Assessment

Document the threats and vulnerabilities your business faces. What data do you collect? Where is it stored? Who has access? What could go wrong? This section should be updated at least annually or whenever your business makes significant changes to its technology or operations.

Administrative Safeguards

These are the people and process controls:

• Employee background checks for staff with access to sensitive data
• Security awareness training (regular, not one-time)
• Acceptable use policies for company devices and systems
• Procedures for onboarding and offboarding employees (especially revoking access immediately when someone leaves)
• Vendor management policies for third parties that handle your data

Technical Safeguards

This is the IT side of the house:

• Access controls (role-based, least privilege, unique user accounts)
• Multi-factor authentication on all systems containing personal data
• Encryption of data at rest and in transit
• Firewalls, endpoint protection, and network monitoring
• Regular patching and vulnerability management
• Secure backup and disaster recovery procedures
• Audit logging of access to sensitive data

Physical Safeguards

Don’t overlook the basics:

• Locked server rooms or closets
• Clean desk policies
• Secure disposal of paper records and old hard drives
• Visitor access controls for areas where sensitive data is accessible

Incident Response Plan

What happens when you discover a breach or security incident? (We have a full guide on how to build an incident response plan if you want the detailed version.) Your WISP needs to include:

• How incidents are reported internally
• Who makes decisions about containment and response
• How you assess the scope and impact
• Notification procedures (California law requires breach notification to affected individuals and, in some cases, the Attorney General)
• Post-incident review to prevent recurrence

Data Retention and Disposal

How long do you keep personal data? How do you securely destroy it when you’re done? This is an area where businesses get tripped up because they never actually delete anything. That data you’re hoarding is a liability if you don’t have a legitimate business reason to keep it.

Review and Update Schedule

Your WISP should specify how often it’s reviewed (at minimum annually) and who’s responsible for updates. Document every review, even if nothing changes.

How to Actually Build One

Here’s the practical, step-by-step approach we use with clients:

Step 1: Inventory your data. Before you can protect it, you need to know what you have. Map out what personal information you collect, where it lives, how it flows through your systems, and who has access. This is the foundation.

Step 2: Assess your current security posture. Look at what controls you already have in place. Most businesses have some security measures. They’re just not documented. A cybersecurity assessment gives you a clear picture of what’s working and what’s missing.

Step 3: Identify the gaps. Compare your current state to what a complete WISP requires. This gap analysis tells you exactly what you need to build, implement, or document.

Step 4: Write the policies and procedures. This is the actual document. Keep it specific to your business. Generic templates are a starting point, not a finish line. Your WISP should reflect how your business actually operates, not how a hypothetical business in a different industry operates.

Step 5: Implement the technical controls. If your gap analysis reveals missing safeguards, like MFA or encryption, implement them before you finalize the WISP. The document should describe what you actually do, not what you plan to do someday.

Step 6: Train your team. A WISP that lives in a drawer is useless. Every employee who handles personal data needs to understand their role in the program. Annual training at minimum, with refreshers when policies change.

Step 7: Review and update annually. Set a calendar reminder. Your business changes, your technology changes, the threats you face change. Your WISP needs to keep pace.

Why This Matters for Your Business

We had a client, a mid-size professional services firm in Riverside, get hit with a phishing attack that compromised some client data. They had solid technical controls in place, and the damage was contained quickly. But when their cyber insurance provider started the claims process, the first thing they asked for was the written security program. Because our client had a current WISP with documented policies and evidence of implementation, the claim went smoothly.

Contrast that with another business we talked to after the fact. Similar incident, but no written program. Their insurer pushed back hard, the claim was delayed for months, and their legal exposure was significantly higher because they couldn’t demonstrate “reasonable security.”

A WISP is your proof that you take data protection seriously. It’s your defense in a lawsuit. It’s what your insurance company wants to see. And it’s what increasingly sophisticated clients and partners are asking for before they’ll do business with you.

What Should You Do Next?

If you don’t have a WISP, start building one. If you have one but it’s stale or generic, update it to reflect your actual environment.

If you want help, we specialize in building compliance programs for California businesses. We’ll assess your environment, identify the gaps, help you build the technical controls, and produce a WISP that’s thorough, practical, and specific to your business. Not a template. A real program that protects you.

Reach out for a compliance assessment. We’ll tell you where you stand and what it takes to get where you need to be.