In the wake of the many breaches facing companies across the country, many states are beginning to pass legislation to curtail criminal activity and add additional procedures for companies to protect data.
The most visible piece of legislation to come about in their fight against cyber breaches is the California Consumer Privacy Act (CCPA) or the California General Data Protection Regulation (GDPR). Based on EU model, when it goes into effect in 2020, Californians have the right to demand that tech companies not use their data and even opt out of them. As most US tech companies like YouTube and Facebook are based in California, many of them are currently fighting to make sure they are minimally impacted. 
Many states are not going to that extreme to protect customer’s data. For many insurance companies, states are willing to follow a much simpler model. Developed from New York’s Department of Financial Services and modified by the National Association Insurance Commission (NAIC) the law calls for written security procedures from insurance companies if they want to operate in that state, among them when to report set breach to the relevant insurance departments. For example, South Carolina expects a 72-hour notice when a breach is detected, while Michigan is more lenient at 10 days. In addition, there will exceptions and guidelines based on the size of the company working in state. According to Alan Brener, former assistant director and current counsel to Ohio’s Department of Insurance. “States will look at this as a pro-consumer protection.”
As states pass their legislation, insurance companies should learn to keep up with the various laws. During this review, they should also review their security procedures as many states are now requiring that before working in the state.