Call Us Now
Free Consultation
For Insurance Agencies, Brokers & Producers

What does your state require when client data is breached?

Insurance cybersecurity requirements vary by state. Pick yours to see who you must notify after a data breach, how fast, and the security controls regulators and carriers now expect.

Choose your state above to see your agency’s breach-reporting obligations.

Report a cyber event to
Notify affected residents within
Also notify

What every insurance agency should have in place

These five controls are the backbone of nearly every state insurance data-security law — and what carriers ask for before they’ll appoint you.
1

Written security program

A documented plan scaled to your size, with a named owner.

2

Annual risk assessment

Find where client data lives and put safeguards in place — MFA, encryption, EDR.

3

Incident-response plan

A written, rehearsed playbook built before a breach, not during it.

4

Vendor oversight

Vet the tech providers who touch your data and put security terms in their contracts.

5

Fast breach reporting

Notify regulators on a clock — often 72 hours — and certify compliance yearly.

What a breach notice to residents must contain

When you have to notify individuals, the letter isn’t free-form — states dictate its content and format.

Insurance cybersecurity requirements by state (full 50-state table)

This reference summarizes, for every U.S. state and the District of Columbia, whether it has adopted the NAIC Model #668 insurance data-security law, which insurance regulator you report a cybersecurity event to, how quickly affected residents must be notified after a data breach, and the verified attorney-general or credit-bureau triggers. Deadlines reflect statutes current as of early 2026; AG thresholds vary and should be confirmed against the current statute.
StateInsurance data-security lawReport cyber event toNotify residents withinAlso notify (verified)
AlabamaAdopted (#668)Dept. of Insurance45 daysAG + credit bureaus if 1,000+ residents
AlaskaAdopted (#668)Division of InsuranceWithout undue delayAG + credit bureaus if 1,000+ residents
ArizonaOlder / partial45 days
ArkansasBreach law onlyWithout undue delayNo AG/regulator filing required
CaliforniaOlder / partial30 daysAG if 500+ residents; AG filing within 15 days
ColoradoOlder / partial30 daysAG if 500+ residents
ConnecticutAdopted (#668)Insurance Dept.60 daysAG notice required
DelawareAdopted (#668)Dept. of Insurance60 days
District of ColumbiaOlder / partialWithout undue delay
FloridaBreach law only30 daysAG if 500+ residents
GeorgiaBreach law onlyWithout undue delayCredit bureaus if 10,000+; no AG filing
HawaiiAdopted (#668)Insurance DivisionWithout undue delayConsumer Protection + bureaus if 1,000+
IdahoBreach law onlyWithout undue delayAgencies notify AG within 24 hrs
IllinoisAdopted (#668)Dept. of InsuranceWithout undue delayAG if 500+ residents
IndianaAdopted (#668)Dept. of Insurance45 daysAG + credit bureaus required
IowaAdopted (#668)Insurance DivisionWithout undue delay
KansasBreach law onlyWithout undue delay
KentuckyAdopted (#668)Dept. of InsuranceWithout undue delay
LouisianaAdopted (#668)Dept. of Insurance60 days
MaineAdopted (#668)Bureau of Insurance30 days
MarylandAdopted (#668)Insurance AdministrationWithout undue delay
MassachusettsBreach law onlyWithout undue delay
MichiganAdopted (#668)DIFSWithout undue delay
MinnesotaAdopted (#668)Dept. of CommerceWithout undue delay
MississippiAdopted (#668)Dept. of InsuranceWithout undue delay
MissouriOlder / partialWithout undue delay
MontanaOlder / partialWithout undue delay
NebraskaOlder / partialWithout undue delay
NevadaBreach law onlyWithout undue delay
New HampshireAdopted (#668)Insurance Dept.Without undue delay
New JerseyOlder / partialWithout undue delay
New MexicoOlder / partial45 days
New YorkNY 23 NYCRR 500Dept. of Financial Services (portal)Without undue delayAG + state agencies required
North CarolinaOlder / partialWithout undue delay
North DakotaAdopted (#668)Insurance Dept.Without undue delay
OhioAdopted (#668)Dept. of Insurance45 days
OklahomaAdopted (#668)Insurance Dept.Without undue delayBreach law amended 2026 — verify
OregonAdopted (#668)DCBS / Insurance Division45 days
PennsylvaniaAdopted (#668)Insurance Dept.Without undue delay
Rhode IslandAdopted (#668)Insurance Division45 days
South CarolinaAdopted (#668)Dept. of Insurance (form)Without undue delay
South DakotaOlder / partial60 days
TennesseeAdopted (#668)Dept. of Commerce & Insurance45 daysCredit bureaus if 1,000+ residents
TexasBreach law only60 daysAG notice required (250+ residents)
UtahAdopted (#668)Insurance Dept.Without undue delay
VermontAdopted (#668)Dept. of Financial Regulation45 days
VirginiaAdopted (#668)Bureau of InsuranceWithout undue delay
WashingtonBreach law only30 daysAG if 500+ residents
West VirginiaOlder / partialWithout undue delay
WisconsinAdopted (#668)OCI45 days
WyomingAdopted (#668)Insurance Dept.Without undue delay

A breach starts the clock. Be ready before it does.

Trinity Solutions makes Triad insurance agencies audit-ready — security programs, MFA, EDR, 24/7 monitoring, and a rehearsed incident-response plan.

Call 336-303-1730
About this tool: Information reflects state laws current as of early 2026, drawn from the NAIC Model #668 adoption tracker, the Privacy Rights Clearinghouse 50-state survey, and state insurance-department and attorney-general sources. Resident-notification deadlines are reliable; exact attorney-general notification thresholds vary by state and several changed in 2025–2026, so verified triggers are shown where confirmed and others should be checked against the current statute. Look up your state’s regulator in the NAIC insurance-department directory. This is general information for insurance professionals and is not legal advice; for any actual incident, the controlling state statute and qualified counsel are the final word. Related: Trinity’s Cyber Insurance Requirements Checklist and cybersecurity services for insurance agencies.