STATE CYBER & BREACH REQUIREMENTS

State-based requirements, translated into proof

Select a state to see:

Breach notification basics (applies to everyone)
Insurance cybersecurity overlays (where adopted)
Federal overlays (FTC Safeguards / GLBA)
The evidence you should be able to produce on demand

Use the state summary to confirm timing, recipients, industry overlays, and the proof a reviewer will expect.

Book a 30‑Minute Program Review Browse State Requirements

Free • no obligation • based on real regulator and auditor questions

Not legal advice. Use this to scope work and keep records; confirm specifics with counsel.

Select Your State

One core program can support multi-jurisdiction compliance, but state-specific breach deadlines, notice thresholds, recipients, and insurance-law overlays still require jurisdiction-by-jurisdiction mapping.

Operate in multiple states? Select each state you care about and map the stricter state-specific rules into the same evidence set.

For complete U.S. coverage, also include the District of Columbia, Guam, Puerto Rico, and the U.S. Virgin Islands.

How to Use This Page

Pick the state(s) where you operate or are licensed.
Use the summary to capture timing, who must be notified, and what records to keep.
Keep one evidence set current, then export when a reviewer asks.

Downloadable Checklists (Plain-English)

Not legal advice. Templates and examples to help you keep a clean record.

Control crosswalk / reviewer evidence examples

Examples of reviewer evidence, not a universal legal checklist that applies identically in every jurisdiction.

Written program with a named owner and documented review cadence
Training records (completion and acknowledgments)
Vendor oversight notes (including MSP and key platforms)
Incident plan and tabletop record
A reusable evidence set kept current enough to support reviewer requests

This filter only changes what is shown below. It does not change what firms are obligated to do.

Interactive map

State-specific insurance cybersecurity statutes NAIC model-law baseline states

NAIC model-law baseline states

State-specific insurance cybersecurity statutes

No dedicated insurance cybersecurity statute

The map highlights insurance cybersecurity overlays. Breach notification laws apply in every state; exact timing, recipients, thresholds, and insurance classifications still vary by jurisdiction.

Puerto Rico

Puerto Rico appears in the adopted category on the NAIC Model 668 map dated March 3, 2026. Because Borealis presents a 50-state table and the Summer 2025 NAIC state page still showed Puerto Rico under related activity, Borealis tracks Puerto Rico separately instead of folding it into the 50-state list.

Authority note: NAIC Model 668 implementation map dated March 3, 2026, cross-checked against the Summer 2025 NAIC state-page chart.

State Summary

Select a state on the map (or from the list) to see:

What applies to everyone (breach notification and baseline expectations)
Industry overlays (insurance / tax & accounting)
The evidence artifacts you should keep ready

State

Book a 30‑Minute Program Review

State

What applies and what to keep ready

Book a 30‑Minute Program Review

Breach Notification All orgs with state resident data

Insurance Cybersecurity Insurance licensees

Federal Overlays FTC Safeguards / GLBA

Applies to

Applicability depends on whether the entity is a covered financial institution under FTC jurisdiction. Common examples can include tax return preparers, tax professional firms, accounting firms, and some financial advisors.

Authority

FTC Safeguards Rule (16 CFR 314) under the Gramm-Leach-Bliley Act.

FTC Notification

At least 500 consumers / 30 days outer limit

For a notification event involving at least 500 consumers' unencrypted customer information, covered institutions must notify the FTC as soon as possible and no later than 30 days after discovery.

IRS Stakeholder Liaison

Immediately / as soon as possible

IRS guidance says tax professionals should report client data theft immediately / as soon as possible to the local IRS stakeholder liaison.

Best-practice incident response playbook

Operational guidance to stabilize an incident response and preserve options. It is not a statutory deadline.

Preserve logs and evidence (do not "clean up" yet)
Open an incident ticket and assign an owner
Start the decision log and incident timeline
Notify counsel and your cyber insurer

Key Obligations

Written Program

Risk Assessment

MFA and Encryption

Vendor Oversight

Incident Response

What to Keep Ready

Prepare Now

Tax-Focused WISP - written security plan for taxpayer data, access controls, and encryption approach
MFA Evidence - email, portal, admin accounts configuration
Encryption Documentation - secure storage approach for SSNs and return data
Vendor Inventory - tax software, DMS, e-sign, portal, payroll providers

During an Incident

Notification Decision Log - why notice is/isn't required, who approved, when
Incident Timeline - key events, containment steps, decision points
Submission Records - FTC notification, IRS liaison report (if applicable)

Exportable Evidence

Export a single incident packet (PDF/ZIP): decision log, timeline, control evidence, and delivery records - ready for counsel, carriers, and regulators.

WISP Packet Signed, dated, with current security controls

Control Evidence MFA/encryption config, access review attestations

Vendor Oversight Inventory, due diligence, contract clauses

Incident Packet Timeline, notification records, FTC/IRS receipts

Book a 30‑Minute Program Review Call Us Directly

Educational guidance, not legal advice. Confirm statutory requirements and thresholds with counsel and relevant regulators.

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Borealis planning baseline

Borealis baseline for regulated firms

Use this as a Borealis planning baseline. Breach notification rules, recipients, thresholds, and state or federal overlays still vary by jurisdiction.

Alabama

Alabama Insurance Data Security Act

NAIC 668-style insurance requirements mapped to actions and evidence.

Alaska

Alaska Insurance Data Security Act

State-specific insurance cybersecurity requirements mapped to actions and evidence.

Arizona

Related insurance activity (not Model 668 adoption)

Related insurance authority exists, but this is not treated here as a current Model 668 adoption. Confirm applicability with counsel and the DOI.

Arkansas

Borealis baseline for regulated firms

No dedicated insurance cybersecurity statute. General security, vendor, MFA, and incident expectations still apply.

California

Related insurance activity (not Model 668 adoption)

Related insurance authority exists, but this is not treated here as a current Model 668 adoption. Confirm applicability with counsel and the DOI.

Colorado

Related insurance activity (not Model 668 adoption)

Related insurance authority exists, but this is not treated here as a current Model 668 adoption. Confirm applicability with counsel and the DOI.

Connecticut

Connecticut Insurance Data Security Law

NAIC 668-style insurance requirements mapped to actions and evidence.

Delaware

Delaware Insurance Data Security Act

NAIC 668-style insurance requirements mapped to actions and evidence.

Florida

Borealis baseline for regulated firms

No dedicated insurance cybersecurity statute. General security, vendor, MFA, and incident expectations still apply.

Georgia

Borealis baseline for regulated firms

No dedicated insurance cybersecurity statute. General security, vendor, MFA, and incident expectations still apply.

Hawaii

Hawaii Insurance Data Security Act

NAIC 668-style insurance requirements mapped to actions and evidence.

Idaho

Borealis baseline for regulated firms

No dedicated insurance cybersecurity statute. General security, vendor, MFA, and incident expectations still apply.

Illinois

Illinois Insurance Data Security Law

NAIC 668-style insurance requirements mapped to actions and evidence.

Indiana

Indiana Insurance Data Security Act

NAIC 668-style insurance requirements mapped to actions and evidence.

Iowa

Iowa Insurance Data Security Act

NAIC 668-style insurance requirements mapped to actions and evidence.

Kansas

Borealis baseline for regulated firms

No dedicated insurance cybersecurity statute. General security, vendor, MFA, and incident expectations still apply.

Kentucky

Kentucky Insurance Data Security Act

NAIC 668-style insurance requirements mapped to actions and evidence.

Louisiana

Louisiana Insurance Data Security Law

NAIC 668-style insurance requirements mapped to actions and evidence.

Maine

Maine Insurance Data Security Act

NAIC 668-style insurance requirements mapped to actions and evidence.

Maryland

Maryland Insurance Data Security Act

NAIC 668-style insurance requirements mapped to actions and evidence.

Massachusetts

Borealis baseline for regulated firms

No dedicated insurance cybersecurity statute. General security, vendor, MFA, and incident expectations still apply.

Michigan

Michigan Data Security in the Insurance Sector Act

NAIC 668-style insurance requirements mapped to actions and evidence.

Minnesota

Minnesota Insurance Data Security Model Law

NAIC 668-style insurance requirements mapped to actions and evidence.

Mississippi

Mississippi Insurance Data Security Law

NAIC 668-style insurance requirements mapped to actions and evidence.

Missouri

Missouri Insurance Data Security Act

NAIC 668-style insurance requirements mapped to actions and evidence.

Montana

Related insurance activity (not Model 668 adoption)

Related insurance authority exists, but this is not treated here as a current Model 668 adoption. Confirm applicability with counsel and the DOI.

Nebraska

Related insurance activity (not Model 668 adoption)

Related insurance authority exists, but this is not treated here as a current Model 668 adoption. Confirm applicability with counsel and the DOI.

Nevada

Borealis baseline for regulated firms

No dedicated insurance cybersecurity statute. General security, vendor, MFA, and incident expectations still apply.

New Hampshire

New Hampshire Insurance Data Security Law

NAIC 668-style insurance requirements mapped to actions and evidence.

New Jersey

Related insurance activity (not Model 668 adoption)

Related insurance authority exists, but this is not treated here as a current Model 668 adoption. Confirm applicability with counsel and the DOI.

New Mexico

Related insurance activity (not Model 668 adoption)

Related insurance authority exists, but this is not treated here as a current Model 668 adoption. Confirm applicability with counsel and the DOI.

New York

NYDFS Cybersecurity Regulation

State-specific insurance cybersecurity requirements mapped to actions and evidence.

North Carolina

Related insurance activity (not Model 668 adoption)

Related insurance authority exists, but this is not treated here as a current Model 668 adoption. Confirm applicability with counsel and the DOI.

North Dakota

North Dakota Insurance Data Security Act

NAIC 668-style insurance requirements mapped to actions and evidence.

Ohio

Ohio Data Protection Act (Insurance)

NAIC 668-style insurance requirements mapped to actions and evidence.

Oklahoma

Oklahoma Insurance Data Security Act

NAIC 668-style insurance requirements mapped to actions and evidence.

Oregon

Related insurance activity (not Model 668 adoption)

Related insurance authority exists, but this is not treated here as a current Model 668 adoption. Confirm applicability with counsel and the DOI.

Pennsylvania

Pennsylvania Insurance Data Security Act

NAIC 668-style insurance requirements mapped to actions and evidence.

Rhode Island

Rhode Island Insurance Data Security Act

NAIC 668-style insurance requirements mapped to actions and evidence.

South Carolina

South Carolina Insurance Data Security Act

NAIC 668-style insurance requirements mapped to actions and evidence.

South Dakota

Related insurance activity (not Model 668 adoption)

Related insurance authority exists, but this is not treated here as a current Model 668 adoption. Confirm applicability with counsel and the DOI.

Tennessee

Tennessee Insurance Data Security Law

NAIC 668-style insurance requirements mapped to actions and evidence.

Texas

Borealis baseline for regulated firms

No dedicated insurance cybersecurity statute. General security, vendor, MFA, and incident expectations still apply.

Utah

Related insurance activity (not Model 668 adoption)

Related insurance authority exists, but this is not treated here as a current Model 668 adoption. Confirm applicability with counsel and the DOI.

Vermont

Vermont Insurance Data Security Law

NAIC 668-style insurance requirements mapped to actions and evidence.

Virginia

Virginia Insurance Data Security Act

NAIC 668-style insurance requirements mapped to actions and evidence.

Washington

Borealis baseline for regulated firms

No dedicated insurance cybersecurity statute. General security, vendor, MFA, and incident expectations still apply.

West Virginia

Related insurance activity (not Model 668 adoption)

Related insurance authority exists, but this is not treated here as a current Model 668 adoption. Confirm applicability with counsel and the DOI.

Wisconsin

Wisconsin Insurance Data Security Act

NAIC 668-style insurance requirements mapped to actions and evidence.

Wyoming

Related insurance activity (not Model 668 adoption)

Related insurance authority exists, but this is not treated here as a current Model 668 adoption. Confirm applicability with counsel and the DOI.

Ready to Map Your Requirements?

Get a prioritized checklist - what you have, what’s missing, and what evidence to collect next. Then book a short program review to confirm scope, state deltas, and what to prep for audit, renewal, and diligence requests.

Educational guidance, not legal advice. Always confirm requirements with your counsel and relevant regulators.

Book a 30‑Minute Program Review Call Us Directly

State-based requirements, translated into proof

Select Your State

How to Use This Page

Downloadable Checklists (Plain-English)

Control crosswalk / reviewer evidence examples

Puerto Rico

State Summary

State

What Examiners Still Expect

Best-practice incident response playbook

Key Obligations

What to Keep Ready

Prepare Now

During an Incident

Exportable Evidence

Borealis planning baseline

Alabama

Alaska

Arizona

Arkansas

California

Colorado

Connecticut

Delaware

Florida

Georgia

Hawaii

Idaho

Illinois

Indiana

Iowa

Kansas

Kentucky

Louisiana

Maine

Maryland

Massachusetts

Michigan

Minnesota

Mississippi

Missouri

Montana

Nebraska

Nevada

New Hampshire

New Jersey

New Mexico

New York

North Carolina

North Dakota

Ohio

Oklahoma

Oregon

Pennsylvania

Rhode Island

South Carolina

South Dakota

Tennessee

Texas

Utah

Vermont

Virginia

Washington

West Virginia

Wisconsin

Wyoming

Ready to Map Your Requirements?