STATE CYBER & BREACH REQUIREMENTS

See What Each State Expects, and What Proof to Keep Ready

Select a state to see:

Breach notification basics
Insurance-specific cybersecurity requirements where they apply
Federal requirements, including FTC Safeguards / GLBA
The evidence you should be able to produce on demand

Use the state summary to confirm timing, who must be notified, any industry-specific requirements, and the proof a reviewer will expect.

Book a 30-Minute Program Review Browse State Requirements

Not legal advice. Use this to scope work and keep records, then confirm specifics with counsel.

Select Your State

One core program can support work across multiple states. Select each state where you operate to map deadlines, notice thresholds, recipients, and any industry-specific requirements into one evidence set.

This filter only changes what is shown below. It does not change what firms are obligated to do.

Interactive map

State-specific insurance cybersecurity statutes NAIC model-law baseline states

NAIC model-law baseline states

State-specific insurance cybersecurity statutes

No dedicated insurance cybersecurity statute

The map highlights insurance cybersecurity overlays. Breach notification laws apply in every state; exact timing, recipients, thresholds, and insurance classifications still vary by jurisdiction.

* Puerto Rico: Puerto Rico appears in the adopted category on the NAIC Model 668 map dated March 3, 2026. Because Borealis presents a 50-state table and the Summer 2025 NAIC state page still showed Puerto Rico under related activity, Borealis tracks Puerto Rico separately instead of folding it into the 50-state list.

State Summary

Select a state on the map (or from the list) to see:

What applies to everyone (breach notification and baseline expectations)
Industry overlays (insurance / tax & accounting)
The evidence artifacts you should keep ready

State

Book a 30-Minute Program Review

State

What applies and what to keep ready

Book a 30-Minute Program Review

Breach Notification All orgs with state resident data

Insurance Cybersecurity Insurance licensees

Federal Overlays FTC Safeguards / GLBA

Applies to

Applicability depends on whether the entity is a covered financial institution under FTC jurisdiction. Common examples can include tax return preparers, tax professional firms, accounting firms, and some financial advisors.

Authority

FTC Safeguards Rule (16 CFR 314) under the Gramm-Leach-Bliley Act.

FTC Notification

At least 500 consumers / 30 days outer limit

For a notification event involving at least 500 consumers' unencrypted customer information, covered institutions must notify the FTC as soon as possible and no later than 30 days after discovery.

IRS Stakeholder Liaison

Immediately / as soon as possible

IRS guidance says tax professionals should report client data theft immediately / as soon as possible to the local IRS stakeholder liaison.

Response priorities to review live

Operational guidance to stabilize an incident and document decisions. It is not a statutory deadline.

Preserve logs and evidence (do not "clean up" yet)
Open an incident ticket and assign an owner
Start the decision log and incident timeline
Notify counsel and your cyber insurer

Key Obligations

Written Program

Risk Assessment

MFA and Encryption

Vendor Oversight

Incident Response

What to Keep Ready

Prepare Now

Tax-Focused WISP - written security plan for taxpayer data, access controls, and encryption approach
MFA Evidence - email, portal, admin accounts configuration
Encryption Documentation - secure storage approach for SSNs and return data
Vendor Inventory - tax software, DMS, e-sign, portal, payroll providers

During an Incident

Notification Decision Log - why notice is/isn't required, who approved, when
Incident Timeline - key events, containment steps, decision points
Submission Records - FTC notification, IRS liaison report (if applicable)

Review-Ready Evidence

Keep a clean incident record: decision log, timeline, control evidence, and delivery records your team can review with counsel, carriers, and regulators.

Written Program Signed, dated, with current security controls

Control Evidence MFA/encryption config, access review attestations

Vendor Oversight Inventory, due diligence, contract clauses

Incident Record Timeline, notification records, FTC/IRS receipts

Book a 30-Minute Program Review Call Us Directly

Educational guidance, not legal advice. Confirm statutory requirements and thresholds with counsel and relevant regulators.

Borealis planning baseline

Borealis baseline for regulated firms

Use this as a Borealis planning baseline. Breach notification rules, recipients, thresholds, and state or federal overlays still vary by jurisdiction.

Alabama

Alabama Insurance Data Security Act

NAIC 668-style insurance requirements mapped to actions and evidence.

Alaska

Alaska Insurance Data Security Act

State-specific insurance cybersecurity requirements mapped to actions and evidence.

Arizona

Related insurance activity (not Model 668 adoption)

Related insurance authority exists, but this is not treated here as a current Model 668 adoption. Confirm applicability with counsel and the DOI.

Arkansas

Borealis baseline for regulated firms

No dedicated insurance cybersecurity statute. General security, vendor, MFA, and incident expectations still apply.

California

Related insurance activity (not Model 668 adoption)

Related insurance authority exists, but this is not treated here as a current Model 668 adoption. Confirm applicability with counsel and the DOI.

Colorado

Related insurance activity (not Model 668 adoption)

Related insurance authority exists, but this is not treated here as a current Model 668 adoption. Confirm applicability with counsel and the DOI.

Connecticut

Connecticut Insurance Data Security Law

NAIC 668-style insurance requirements mapped to actions and evidence.

Delaware

Delaware Insurance Data Security Act

NAIC 668-style insurance requirements mapped to actions and evidence.

Florida

Borealis baseline for regulated firms

No dedicated insurance cybersecurity statute. General security, vendor, MFA, and incident expectations still apply.

Georgia

Borealis baseline for regulated firms

No dedicated insurance cybersecurity statute. General security, vendor, MFA, and incident expectations still apply.

Hawaii

Hawaii Insurance Data Security Act

NAIC 668-style insurance requirements mapped to actions and evidence.

Idaho

Borealis baseline for regulated firms

No dedicated insurance cybersecurity statute. General security, vendor, MFA, and incident expectations still apply.

Illinois

Illinois Insurance Data Security Law

NAIC 668-style insurance requirements mapped to actions and evidence.

Indiana

Indiana Insurance Data Security Act

NAIC 668-style insurance requirements mapped to actions and evidence.

Iowa

Iowa Insurance Data Security Act

NAIC 668-style insurance requirements mapped to actions and evidence.

Kansas

Borealis baseline for regulated firms

No dedicated insurance cybersecurity statute. General security, vendor, MFA, and incident expectations still apply.

Kentucky

Kentucky Insurance Data Security Act

NAIC 668-style insurance requirements mapped to actions and evidence.

Louisiana

Louisiana Insurance Data Security Law

NAIC 668-style insurance requirements mapped to actions and evidence.

Maine

Maine Insurance Data Security Act

NAIC 668-style insurance requirements mapped to actions and evidence.

Maryland

Maryland Insurance Data Security Act

NAIC 668-style insurance requirements mapped to actions and evidence.

Massachusetts

Borealis baseline for regulated firms

No dedicated insurance cybersecurity statute. General security, vendor, MFA, and incident expectations still apply.

Michigan

Michigan Data Security in the Insurance Sector Act

NAIC 668-style insurance requirements mapped to actions and evidence.

Minnesota

Minnesota Insurance Data Security Model Law

NAIC 668-style insurance requirements mapped to actions and evidence.

Mississippi

Mississippi Insurance Data Security Law

NAIC 668-style insurance requirements mapped to actions and evidence.

Missouri

Missouri Insurance Data Security Act

NAIC 668-style insurance requirements mapped to actions and evidence.

Montana

Related insurance activity (not Model 668 adoption)

Related insurance authority exists, but this is not treated here as a current Model 668 adoption. Confirm applicability with counsel and the DOI.

Nebraska

Related insurance activity (not Model 668 adoption)

Related insurance authority exists, but this is not treated here as a current Model 668 adoption. Confirm applicability with counsel and the DOI.

Nevada

Borealis baseline for regulated firms

No dedicated insurance cybersecurity statute. General security, vendor, MFA, and incident expectations still apply.

New Hampshire

New Hampshire Insurance Data Security Law

NAIC 668-style insurance requirements mapped to actions and evidence.

New Jersey

Related insurance activity (not Model 668 adoption)

Related insurance authority exists, but this is not treated here as a current Model 668 adoption. Confirm applicability with counsel and the DOI.

New Mexico

Related insurance activity (not Model 668 adoption)

Related insurance authority exists, but this is not treated here as a current Model 668 adoption. Confirm applicability with counsel and the DOI.

New York

NYDFS Cybersecurity Regulation

State-specific insurance cybersecurity requirements mapped to actions and evidence.

North Carolina

Related insurance activity (not Model 668 adoption)

Related insurance authority exists, but this is not treated here as a current Model 668 adoption. Confirm applicability with counsel and the DOI.

North Dakota

North Dakota Insurance Data Security Act

NAIC 668-style insurance requirements mapped to actions and evidence.

Ohio

Ohio Data Protection Act (Insurance)

NAIC 668-style insurance requirements mapped to actions and evidence.

Oklahoma

Oklahoma Insurance Data Security Act

NAIC 668-style insurance requirements mapped to actions and evidence.

Oregon

Related insurance activity (not Model 668 adoption)

Related insurance authority exists, but this is not treated here as a current Model 668 adoption. Confirm applicability with counsel and the DOI.

Pennsylvania

Pennsylvania Insurance Data Security Act

NAIC 668-style insurance requirements mapped to actions and evidence.

Rhode Island

Rhode Island Insurance Data Security Act

NAIC 668-style insurance requirements mapped to actions and evidence.

South Carolina

South Carolina Insurance Data Security Act

NAIC 668-style insurance requirements mapped to actions and evidence.

South Dakota

Related insurance activity (not Model 668 adoption)

Related insurance authority exists, but this is not treated here as a current Model 668 adoption. Confirm applicability with counsel and the DOI.

Tennessee

Tennessee Insurance Data Security Law

NAIC 668-style insurance requirements mapped to actions and evidence.

Texas

Borealis baseline for regulated firms

No dedicated insurance cybersecurity statute. General security, vendor, MFA, and incident expectations still apply.

Utah

Related insurance activity (not Model 668 adoption)

Related insurance authority exists, but this is not treated here as a current Model 668 adoption. Confirm applicability with counsel and the DOI.

Vermont

Vermont Insurance Data Security Law

NAIC 668-style insurance requirements mapped to actions and evidence.

Virginia

Virginia Insurance Data Security Act

NAIC 668-style insurance requirements mapped to actions and evidence.

Washington

Borealis baseline for regulated firms

No dedicated insurance cybersecurity statute. General security, vendor, MFA, and incident expectations still apply.

West Virginia

Related insurance activity (not Model 668 adoption)

Related insurance authority exists, but this is not treated here as a current Model 668 adoption. Confirm applicability with counsel and the DOI.

Wisconsin

Wisconsin Insurance Data Security Act

NAIC 668-style insurance requirements mapped to actions and evidence.

Wyoming

Related insurance activity (not Model 668 adoption)

Related insurance authority exists, but this is not treated here as a current Model 668 adoption. Confirm applicability with counsel and the DOI.

Program Review

Work Through State Requirements With Borealis

Use the state summary to frame the work, then book a short program review to map deadlines, reviewer expectations, and next actions with us.

Breach Notification Review

Walk through timing, recipients, thresholds, and the decisions to document before notices go out.

Book a review call

Incident Readiness Review

Pressure-test the first 72 hours, ownership decisions, and evidence handling before an incident happens.

Book a review call

Reviewer Evidence Review

Walk through the control crosswalk and the evidence reviewers usually expect to see.

Book a review call

Not legal advice. Borealis does not provide standalone download packs; we review your situation with you.

Ready to Map Your Requirements?

Get a prioritized review plan: what you have, what’s missing, and what evidence to organize next. Then book a short program review to confirm scope, state deltas, and what to prep for audit, renewal, and diligence requests.

Educational guidance, not legal advice. Always confirm requirements with your counsel and relevant regulators.

Book a 30-Minute Program Review Call Us Directly

See What Each State Expects, and What Proof to Keep Ready

Select Your State

State Summary

State

What Examiners Still Expect

Response priorities to review live

Key Obligations

What to Keep Ready

Prepare Now

During an Incident

Review-Ready Evidence

Borealis planning baseline

Alabama

Alaska

Arizona

Arkansas

California

Colorado

Connecticut

Delaware

Florida

Georgia

Hawaii

Idaho

Illinois

Indiana

Iowa

Kansas

Kentucky

Louisiana

Maine

Maryland

Massachusetts

Michigan

Minnesota

Mississippi

Missouri

Montana

Nebraska

Nevada

New Hampshire

New Jersey

New Mexico

New York

North Carolina

North Dakota

Ohio

Oklahoma

Oregon

Pennsylvania

Rhode Island

South Carolina

South Dakota

Tennessee

Texas

Utah

Vermont

Virginia

Washington

West Virginia

Wisconsin

Wyoming

Work Through State Requirements With Borealis

Breach Notification Review

Incident Readiness Review

Reviewer Evidence Review

Ready to Map Your Requirements?