The Internal Revenue Service (IRS), along with its Security Summit partners, recently issued a reminder that organizations handling sensitive personal data must maintain a Written Information Security Plan, or WISP. Although this requirement is directed at tax professionals, the guidance offers important takeaways for all employers, especially those managing employee benefit information, payroll data, or health plan records.
A WISP is a structured document that outlines how an organization protects the personal information it collects and stores. As cybersecurity threats continue to rise, a formal WISP is no longer just a best practice. For many employers, especially those operating in regulated industries or acting as financial institutions under federal law, it is a legal requirement.
What Is a WISP?
A WISP is a formal plan designed to prevent unauthorized access to personal data. It typically addresses three key areas:
- Employee management and training
- Information systems and access controls
- Detection, response, and mitigation of data breaches
The plan should describe how your organization identifies risks, implements safeguards, monitors for issues, and responds to incidents. For employers who contract with service providers that access sensitive data (such as payroll or benefits administrators), the WISP should also address vendor oversight.
Why It Matters
Under the Gramm-Leach-Bliley Act and regulations enforced by the Federal Trade Commission (FTC), businesses that handle personal financial information must protect that data through reasonable security programs. Employers that sponsor health plans or flexible spending accounts may also fall under HIPAA or other federal privacy laws. Even small employers with limited access to sensitive data should have policies in place to address risk.
Recommended Actions for Employers
- Assign a designated individual or team to oversee your information security program
- Assess risks to personal information in all areas of your operation
- Implement and test physical, administrative, and technical safeguards
- Monitor security procedures regularly and update the WISP when operations change
- Review and include incident response protocols, including breach reporting obligations
Resources Available
The IRS has developed tools to assist small organizations with WISP development. These include:
- Publication 5708: A step-by-step guide to creating a WISP
- Publication 5709 and 5293: Resources focused on data security best practices
- IRS Publication 4557: An overview of safeguarding taxpayer data
- NIST Guide: "Small Business Information Security: The Fundamentals"
These tools, while geared toward tax professionals, are useful to any employer building or refining an internal data protection strategy.
Bottom Line
Whether you are a tax firm or an employer collecting personal data through benefits enrollment or payroll, a WISP should be part of your compliance and risk management toolkit. Establishing and maintaining this plan supports both regulatory obligations and employee trust.
Benefit Allocation Systems (BAS) provides best-in-class, online solutions for: Employee Benefits Enrollment; COBRA; Flexible Spending Accounts (FSAs); Health Reimbursement Accounts (HRAs); Leave of Absence Premium Billing (LOA); Affordable Care Act Record Keeping, Compliance & IRS Reporting (ACA); Group Insurance Premium Billing; Property & Casualty Premium Billing; and Payroll Integration.
MyEnroll360 can Integrate with any insurance carrier for enrollment eligibility management (e.g., Blue Cross, Blue Shield, Aetna, United Health Care, Kaiser, CIGNA and many others), and integrate with any payroll system for enrollment deduction management (e.g., Workday, ADP, Paylocity, PayCor, UKG, and many others).
This article is for informational purposes only and is not intended as legal, tax, or benefits advice. Readers should not rely on this information for taking (or not taking) any action relating to employment, compliance, or benefits. Always consult with a qualified professional before making decisions based on this content.
