STATE CYBER & BREACH REQUIREMENTS

State-based requirements, translated into proof.

Select a state to see:

Breach notification basics (applies to everyone)
Insurance cybersecurity overlays (where adopted)
Federal overlays (FTC Safeguards / GLBA)
The evidence you should be able to produce on demand

Built for "show me" moments—renewals, audits, DOI exams, and diligence.

Book a 30‑minute Program Review Book a 30‑minute Program Review

Free • confidential • ~2 minutes • built from real regulator + auditor questions

Select your state

Most requirements share the same fundamentals: a written program, risk decisions, vendor oversight, incident readiness, and an evidence trail. What differs by state is timing, who must be notified, and how you're expected to present proof.

Operate in multiple states? Select each state you care about—your program should meet the strictest applicable requirements.

This filter only changes what's shown below. It doesn't change what you're obligated to do.

Interactive map

State-specific insurance data security laws NAIC-based insurance data security laws

NAIC 668 adopters

State-specific law

Baseline (no dedicated statute)

The map highlights insurance cybersecurity overlays. Breach notification laws apply in every state—see the state summary below.

State summary

Select a state on the map (or from the list) to see:

What applies to everyone (breach notification + baseline expectations)
Industry overlays (insurance / tax & accounting)
The evidence artifacts you should keep ready

State

Program Review

State

What applies and what to keep ready

Program Review

Breach Notification All orgs with state resident data

Insurance Cybersecurity Insurance licensees

Federal Overlays FTC Safeguards / GLBA

Applies to

If you store or process personal information for state residents, these notice rules can apply—even if you're not in a regulated industry.

Trigger

A security incident that meets the state's definition of a reportable breach (typically unauthorized access to covered personal information).

Covered Data

"Personal information" usually means a name plus a sensitive identifier (SSN, driver's license, financial account).

Consumer Notice

Without unreasonable delay

Timing can change if law enforcement requests a delay.

Regulator / AG

If thresholds are met

Track the affected count and document the determination.

First 24 Hours

Preserve logs and evidence (don't "clean up" yet)
Open an incident ticket and assign an owner
Start the decision log + incident timeline
Notify counsel and your cyber insurer

Key Obligations

Written Program

Risk Assessment

MFA + Encryption

Vendor Oversight

Incident Response

Who You Notify

Primary

Affected state residents — if covered personal information was accessed or acquired

Conditional

State Regulator / AG — if notice thresholds are met
Consumer reporting agencies — if required for large-scale incidents

Coordination

Law enforcement — coordinate if an investigative delay is requested

What to Keep Ready

Prepare Now

Incident Response Plan — roles, escalation, outside counsel + insurer contacts
Incident Contact Matrix — IT/MSP, insurer, key vendors, regulator/AG contacts
Notice Templates — resident notice + regulator notice drafts (pre-approved by counsel)
Baseline Control Evidence — MFA, access reviews, backup/restore testing, vendor oversight

During an Incident

Notification Decision Log — why notice is/isn't required, who approved, when
Incident Timeline — key events, containment steps, decision points
Delivery & Submission Records — notices sent, confirmations, regulator submissions

Exportable Evidence

Export a single incident packet (PDF/ZIP): decision log, timeline, control evidence, and delivery records—ready for counsel, carriers, and regulators.

Incident Packet Decision log, timeline, approval trail

Control Evidence MFA config, backup test proof, access attestations

Notification Records Notices sent, delivery confirmations, regulator receipts

Applies to

If you're treated as a "financial institution" under the FTC Safeguards Rule, these requirements apply. Common examples: tax preparers, accounting firms, and financial advisors.

Authority

FTC Safeguards Rule (16 CFR 314) under the Gramm-Leach-Bliley Act.

FTC Notification

Threshold-based

Certain events may require FTC notification within a defined timeframe. Confirm applicability with counsel.

IRS Stakeholder Liaison

As soon as practicable

Report client data theft for identity protection.

First 24 Hours

Preserve logs and evidence (don't "clean up" yet)
Open an incident ticket and assign an owner
Start the decision log + incident timeline
Notify counsel and your cyber insurer

Key Obligations

Written Program

Risk Assessment

MFA + Encryption

Vendor Oversight

Incident Response

What to Keep Ready

Prepare Now

Tax-Focused WISP — security controls, encryption approach, access controls
MFA Evidence — email, portal, admin accounts configuration
Encryption Documentation — secure storage approach for SSNs and return data
Vendor Inventory — tax software, DMS, e-sign, portal, payroll providers

During an Incident

Notification Decision Log — why notice is/isn't required, who approved, when
Incident Timeline — key events, containment steps, decision points
Submission Records — FTC notification, IRS liaison report (if applicable)

Exportable Evidence

Export a single incident packet (PDF/ZIP): decision log, timeline, control evidence, and delivery records—ready for counsel, carriers, and regulators.

WISP Packet Signed, dated, with current security controls

Control Evidence MFA/encryption config, access review attestations

Vendor Oversight Inventory, due diligence, contract clauses

Incident Packet Timeline, notification records, FTC/IRS receipts

Book a 30‑minute Program Review Book a Program Review

Educational guidance, not legal advice. Confirm statutory requirements and thresholds with counsel and relevant regulators.

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Nationwide Baseline

Core security + breach notification expectations

Federal and common-sense expectations that apply everywhere—written program, MFA, vendor oversight, incident readiness, and evidence you can produce.

Alabama

Ala. Code §27-62-1 to 27-62-11

NAIC 668-style requirements mapped to actions + evidence (WISP, risk, vendors, incident readiness).

Alaska

SB 134 • Alaska Insurance Data Security Law • AS 21.23.240–.399

State-based requirements mapped to actions + evidence (WISP, risk, vendors, incident readiness).

Arizona

Nationwide baseline

No dedicated state insurance cybersecurity statute. Baseline expectations still apply: written security plan, risk decisions, vendor oversight, MFA, and incident readiness—with evidence you can export.

Arkansas

Nationwide baseline

California

Nationwide baseline

Colorado

Nationwide baseline

Connecticut

CT Gen. Stat. §38a-38

NAIC 668-style requirements mapped to actions + evidence (WISP, risk, vendors, incident readiness).

Delaware

18 Del. C. §8601-8611

NAIC 668-style requirements mapped to actions + evidence (WISP, risk, vendors, incident readiness).

Florida

Nationwide baseline

Georgia

Nationwide baseline

Hawaii

Nationwide baseline

Idaho

Nationwide baseline

Illinois

Public Act 103-0142

NAIC 668-style requirements mapped to actions + evidence (WISP, risk, vendors, incident readiness).

Indiana

Ind. Code §27-2-27

NAIC 668-style requirements mapped to actions + evidence (WISP, risk, vendors, incident readiness).

Iowa

Iowa Code §507F

NAIC 668-style requirements mapped to actions + evidence (WISP, risk, vendors, incident readiness).

Kansas

Nationwide baseline

Kentucky

HB 474 (KRS 304.17D)

NAIC 668-style requirements mapped to actions + evidence (WISP, risk, vendors, incident readiness).

Louisiana

La. R.S. 22:2501-2511

NAIC 668-style requirements mapped to actions + evidence (WISP, risk, vendors, incident readiness).

Maine

24-A M.R.S. §2266

NAIC 668-style requirements mapped to actions + evidence (WISP, risk, vendors, incident readiness).

Maryland

MD Code, Ins. §33-101 to 33-112

NAIC 668-style requirements mapped to actions + evidence (WISP, risk, vendors, incident readiness).

Massachusetts

Nationwide baseline

Michigan

MCL 500.559

State-based requirements mapped to actions + evidence (WISP, risk, vendors, incident readiness).

Minnesota

Minn. Stat. §60A.9853

NAIC 668-style requirements mapped to actions + evidence (WISP, risk, vendors, incident readiness).

Mississippi

Miss. Code Ann. §83-5-801 to 83-5-825

NAIC 668-style requirements mapped to actions + evidence (WISP, risk, vendors, incident readiness).

Missouri

Nationwide baseline

Montana

Nationwide baseline

Nebraska

Nationwide baseline

Nevada

Nationwide baseline

New Hampshire

RSA 420-P

State-based requirements mapped to actions + evidence (WISP, risk, vendors, incident readiness).

New Jersey

Nationwide baseline

New Mexico

Nationwide baseline

New York

23 NYCRR 500

Evidence-first expectations (23 NYCRR 500) mapped to what you must show in audits.

North Carolina

Nationwide baseline

North Dakota

NDCC 26.1-02.2

State-based requirements mapped to actions + evidence (WISP, risk, vendors, incident readiness).

Ohio

Ohio Rev. Code §3965 (SB 220)

NAIC 668-style requirements mapped to actions + evidence (WISP, risk, vendors, incident readiness).

Oklahoma

Nationwide baseline

Oregon

Nationwide baseline

Pennsylvania

Nationwide baseline

Rhode Island

R.I. Gen. Laws §27-2-30

NAIC 668-style requirements mapped to actions + evidence (WISP, risk, vendors, incident readiness).

South Carolina

SC Code Ann. §38-99

NAIC 668-style requirements mapped to actions + evidence (WISP, risk, vendors, incident readiness).

South Dakota

Nationwide baseline

Tennessee

Tenn. Code Ann. §56-2-1001 to 56-2-1012

NAIC 668-style requirements mapped to actions + evidence (WISP, risk, vendors, incident readiness).

Texas

Nationwide baseline

Utah

Nationwide baseline

Vermont

9 V.S.A. §2435

NAIC 668-style requirements mapped to actions + evidence (WISP, risk, vendors, incident readiness).

Virginia

Va. Code §38.2-621 to 38.2-629

NAIC 668-style requirements mapped to actions + evidence (WISP, risk, vendors, incident readiness).

Washington

Nationwide baseline

West Virginia

Nationwide baseline

Wisconsin

Nationwide baseline

Wyoming

Nationwide baseline

Ready to map your requirements?

Get a prioritized checklist in 2 minutes—what you have, what’s missing, and what evidence to collect next. Then book a short program review to confirm scope, state deltas, and what to prep for “show me” requests.

Educational guidance, not legal advice. Always confirm requirements with your counsel and relevant regulators.

Book a 30‑minute Program Review Book a 30‑minute Program Review

State-based requirements, translated into proof.

Select your state

State summary

State

First 24 Hours

Key Obligations

Who You Notify

Primary

Conditional

Coordination

What to Keep Ready

Prepare Now

During an Incident

Exportable Evidence

What Examiners Still Expect

First 24 Hours

Key Obligations

What to Keep Ready

Prepare Now

During an Incident

Exportable Evidence

Nationwide Baseline

Alabama

Alaska

Arizona

Arkansas

California

Colorado

Connecticut

Delaware

Florida

Georgia

Hawaii

Idaho

Illinois

Indiana

Iowa

Kansas

Kentucky

Louisiana

Maine

Maryland

Massachusetts

Michigan

Minnesota

Mississippi

Missouri

Montana

Nebraska

Nevada

New Hampshire

New Jersey

New Mexico

New York

North Carolina

North Dakota

Ohio

Oklahoma

Oregon

Pennsylvania

Rhode Island

South Carolina

South Dakota

Tennessee

Texas

Utah

Vermont

Virginia

Washington

West Virginia

Wisconsin

Wyoming

Ready to map your requirements?