The “WISP” Requirement: Why Las Vegas Law Firms Are Scrambling in 2025
If you renewed your Preparer Tax Identification Number (PTIN) or updated your firm’s compliance checklist recently, you might have checked a box confirming you have a “Written Information Security Plan” (WISP).
Here is the scary question: Do you actually have one?
For many Las Vegas law firms—especially those in Personal Injury, Estate Planning, and Tax Law—checking that box without a documented plan constitutes perjury. Beyond the IRS, the State Bar of Nevada and new state privacy laws (SB 370) are tightening the noose on data security.
At CMIT Solutions of Las Vegas, we help local firms move from “checking the box” to actual, audit-ready compliance. Here is what your firm needs to know to avoid fines in 2025.
1. What is a WISP and Why Do You Need It?
A WISP isn’t just a generic employee handbook. It is a federally mandated document that details exactly how your firm protects client data. Under the FTC Safeguards Rule and IRS Publication 4557, your WISP must include:
- Designated Employee: Who is legally responsible for IT security in your firm?
- Risk Assessment: A documented audit of where your data lives (and where it leaks).
- Vendor Management: Proof that your IT provider (us) is also compliant.
The Risk: If you suffer a data breach and cannot produce a current WISP, your cyber insurance claim will likely be denied, and you could face disciplinary action from the Bar.
2. Nevada SB 370: The Hidden Trap for Personal Injury Firms
Many Las Vegas attorneys think, “I’m not a doctor, so health privacy laws don’t apply to me.”
Think again.
Nevada’s new Consumer Health Data Privacy Law (SB 370) defines “consumer health data” broadly. If you handle Personal Injury or Workers’ Compensation claims, you are processing health data. This law requires:
- A distinct “Health Data Privacy Policy” on your website (separate from your standard privacy policy).
- Explicit client consent before you collect their medical records.
- Strict geofencing prohibitions (you can’t digital ad-target people at hospitals).
3. ABA Formal Opinion 498: “Tech Ignorance” is No Excuse
The American Bar Association has made it clear in Formal Opinion 498: attorneys must have “technological competence.” You cannot simply say, “I’m not a tech person.”
To meet this ethical duty in 2025, your virtual or hybrid practice must have:
- Encrypted Email: Sending case files via standard Gmail is a violation.
- Endpoint Security: Antivirus is not enough; you need “Endpoint Detection and Response” (EDR) to stop ransomware.
- vetted Wi-Fi: Working from a coffee shop in Summerlin without a VPN is a breach waiting to happen.
Stop “Guessing” at Compliance
You went to law school to practice law, not IT security. Let us handle the WISP, the audits, and the encryption so you can focus on your clients.
We offer a complimentary “Compliance Gap Analysis” for Las Vegas law firms. Let’s see where you stand.
Schedule Your Confidential Audit
Related Resources for Attorneys
- 🛡️ 3 Phishing Scams Targeting Las Vegas Law Firms
Lawyers are the #1 target for “Wire Fraud” scams. See the latest threats. - 📋 Co-Managed IT: Support for Your Internal Team
Does your firm have an internal IT director? We can help them handle the compliance workload.
Do you have a Written Information Security Plan (WISP)? See why Las Vegas law firms face fines in 2025 without one. Get the compliance checklist.
