The Internal Revenue Service (IRS), along with its Security Summit partners, recently issued a reminder that organizations handling sensitive personal data must maintain a Written Information Security Plan, or WISP. Although this requirement is directed at tax professionals, the guidance offers important takeaways for all employers, especially those managing employee benefit information, payroll data, or health plan records.
A WISP is a structured document that outlines how an organization protects the personal information it collects and stores. As cybersecurity threats continue to rise, a formal WISP is no longer just a best practice. For many employers, especially those operating in regulated industries or acting as financial institutions under federal law, it is a legal requirement.
What Is a WISP?
A WISP is a formal plan designed to prevent unauthorized access to personal data. It typically addresses three key areas:
The plan should describe how your organization identifies risks, implements safeguards, monitors for issues, and responds to incidents. For employers who contract with service providers that access sensitive data (such as payroll or benefits administrators), the WISP should also address vendor oversight.
Why It Matters
Under the Gramm-Leach-Bliley Act and regulations enforced by the Federal Trade Commission (FTC), businesses that handle personal financial information must protect that data through reasonable security programs. Employers that sponsor health plans or flexible spending accounts may also fall under HIPAA or other federal privacy laws. Even small employers with limited access to sensitive data should have policies in place to address risk.
Recommended Actions for Employers
Resources Available
The IRS has developed tools to assist small organizations with WISP development. These include:
These tools, while geared toward tax professionals, are useful to any employer building or refining an internal data protection strategy.
Bottom Line
Whether you are a tax firm or an employer collecting personal data through benefits enrollment or payroll, a WISP should be part of your compliance and risk management toolkit. Establishing and maintaining this plan supports both regulatory obligations and employee trust.
Benefit Allocation Systems (BAS) provides best-in-class, online solutions for: Employee Benefits Enrollment; COBRA; Flexible Spending Accounts (FSAs); Health Reimbursement Accounts (HRAs); Leave of Absence Premium Billing (LOA); Affordable Care Act Record Keeping, Compliance & IRS Reporting (ACA); Group Insurance Premium Billing; Property & Casualty Premium Billing; and Payroll Integration.
MyEnroll360 can Integrate with any insurance carrier for enrollment eligibility management (e.g., Blue Cross, Blue Shield, Aetna, United Health Care, Kaiser, CIGNA and many others), and integrate with any payroll system for enrollment deduction management (e.g., Workday, ADP, Paylocity, PayCor, UKG, and many others).
This article is for informational purposes only and is not intended as legal, tax, or benefits advice. Readers should not rely on this information for taking (or not taking) any action relating to employment, compliance, or benefits. Always consult with a qualified professional before making decisions based on this content.