If you’re breached, state law says you must act fast:

• Notify Affected People: Within 45 days of learning about the breach

• If 1,000+ People Are Affected, you must also contact:

• The New Mexico Attorney General

• Credit Reporting Agencies

Your insurance company may also need to be told within 24–72 hours.

You should prepare to share:

• System logs and investigation reports

• Copies of your customer notice letters

• Invoices showing your losses

• Proof of how your team responded

Most policies also follow New Mexico’s Unfair Claims Practices Act, which outlines how insurers must treat policyholders during a claim.

Under N.J.S.A. §56:8-163 (Disclosure of breach of security to customers), if your business suffers a “breach of security” involving “personal information”:

1. Definition of “Personal Information”: An individual’s first name or first initial and last name linked with any one or more of the following data elements: Social Security number; driver’s license or State identification card number; financial account/credit/debit card number (with security code/password); or user name/email address/other account holder identifying information (with password/security question answer) that would permit access to an online account. This applies to information not secured by encryption or other technology that renders it unreadable/unusable.

2. Definition of “Breach of Security”: Unauthorized access to electronic files, media, or data containing personal information that compromises its security, confidentiality, or integrity. Good faith acquisition by an employee for a legitimate business purpose is not a breach.

3. No Likelihood of Misuse Exception: Disclosure is not required if the business establishes that misuse of the information is not reasonably possible. This determination must be documented and retained for five years.

4. Notify State Police: In advance of disclosure to the customer, report the breach and any related information to the Division of State Police in the Department of Law and Public Safety.

5. Notify Affected Individuals: Disclosure to a customer must be made “in the most expedient time possible and without unreasonable delay”, consistent with law enforcement needs (if notification will impede an investigation) or measures necessary to determine the breach’s scope and restore data integrity.

   • Permitted Methods: Written notice; electronic notice (if consistent with E-SIGN); or substitute notice (if cost > $250,000, or affected class > 500,000, or insufficient contact info).

   • Online Accounts: If the breach involves an online account (username/email + password), notification should direct the customer to change credentials and take other steps to protect the online account. Notification to the breached email account itself is prohibited; another method must be used.

6. Notify Data Owners (if you’re a third-party maintainer): If you maintain records for another entity, you must notify that entity immediately following discovery if personal information was or is reasonably believed to have been accessed by an unauthorized person.

7. Notify Credit Reporting Agencies: If a breach requires notification of more than 1,000 persons at one time, notify all nationwide consumer reporting agencies without unreasonable delay.

Most insurers require notice within 24–72 hours of discovering the breach. You’ll need:

• Forensic and system logs

• Copies of letters sent to customers and agencies

• Recovery invoices and cost breakdowns

• Legal memos from breach counsel

If there’s a disagreement over coverage, most NJ policies include arbitration or mediation, subject to oversight by the DOBI’s Insurance Claims Ombudsman where applicable (N.J.S.A. 17:29E-3g).

If your business experiences a breach, here’s what the law requires under RSA 359-C:20 (Notification of Security Breach Required):

1. Determine Misuse: When aware of a security breach, promptly determine the likelihood that the information has been or will be misused. Notification is not required if, after this investigation, it’s determined that misuse has not occurred and is not reasonably likely to occur.

2. Notify Affected Individuals: If misuse has occurred, is reasonably likely to occur, or if a determination cannot be made, notify affected individuals “as soon as possible” and without unreasonable delay. Delay is permitted only if a law enforcement agency determines it will impede a criminal investigation. Your notice must include at a minimum:

   • A description of the incident in general terms.

   • The approximate date of the breach.

   • The type of personal information obtained.

   • The telephonic contact information of the entity.

3. Notify the Attorney General: If notification to consumers is required, you must report the breach to your primary regulatory authority, if applicable, or to the New Hampshire Attorney General.

4. Notify Credit Reporting Agencies: If a breach requires notification to more than 1,000 consumers, you must also notify, without unreasonable delay, all nationwide consumer reporting agencies (as defined by 15 U.S.C. Section 1681a) of the date of notification to the consumers and the approximate number of consumers affected.

Most insurance providers require you to report the breach within 3 business days of discovery.

📌 SB 255 (NHCEPA) also requires: Businesses that engage in high-risk data processing (like targeted ads or handling sensitive personal data) to conduct data protection assessments. These assessments are not annual certifications, but must be documented and available for review if requested. It also establishes consumer rights like access, deletion, and opt-out, and mandates a 60-day cure period for violations before the Attorney General initiates enforcement action (for violations occurring before January 1, 2026; after that, the cure period is discretionary).

Non-compliance can lead to civil penalties. Under RSA 359-C:21, any person injured by a violation may bring an action for actual damages (or 2-3 times actual damages for willful/knowing violations), plus costs and reasonable attorney’s fees. Enforcement by the Attorney General’s office can also occur under consumer protection laws.

Premiums vary based on size, industry, and digital risk exposure. Here are average Nebraska Cyber Security Cost estimates:

• Small businesses (<25 employees): $500–$2,300/year
• Mid-sized firms (25–100 employees): $3,000–$15,000/year
• Larger organizations: $20,000–$250,000+ with custom policies

Tips to lower your premium:

• Use multi-factor authentication (MFA)
• Conduct annual cybersecurity risk assessments
• Train staff regularly on phishing
• Bundle cyber liability with general liability or errors & omissions (E&O)

Many brokers in Omaha and Lincoln offer tailored policies that match Nebraska cyber insurance market standards.

Montana law requires prompt response when personal data is compromised.

Under Mont. Code Ann. § 30-14-1704, any person or business that conducts business in Montana and that owns or licenses computerized data that includes personal information shall:

1. Conduct an Investigation: Disclose any breach of the security of the data system following discovery or notification of the breach to any resident of Montana whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. This includes when encrypted data and the encryption key are acquired. The business must determine if misuse has occurred or is reasonably likely to occur.
   • Notification is not required if, after a good faith, reasonable, and prompt investigation, the business determines that misuse of the personal information has not and is not reasonably likely to occur. This determination must be documented and retained for five years.
2. Notify Affected Individuals: The disclosure must be made without unreasonable delay, consistent with legitimate law enforcement needs or measures necessary to determine the scope of the breach and restore data integrity.
   • If delayed by law enforcement, the notice must be made after the law enforcement agency determines that it will not compromise the investigation.
   • Notice may be provided by written notice, electronic notice (consistent with E-SIGN), or telephonic notice. Substitute notice is allowed under specific conditions (e.g., cost over $250,000, or affected class over 500,000). Your Notice Must Include:
   • Date of the breach.
   • A description of the breached information (i.e., categories of data exposed).
   • Contact information for the business (or a contact person for more information).
   • Recommended steps to protect against misuse (e.g., contact consumer reporting agencies and the FTC).
   • Remedial steps your business has taken.
3. Notify the Montana Attorney General (Office of Consumer Protection): Any person or business that is required to issue a notification to an individual shall simultaneously submit an electronic copy of the notification and a statement providing the date and method of distribution of the notification to the Attorney General’s Office of Consumer Protection. This submission should exclude any information that personally identifies the consumer.
4. Notify Consumer Reporting Agencies: If a security breach requires notification to more than 1,000 residents at one time, the business shall also notify, without unreasonable delay, all nationwide consumer reporting agencies (as defined in 15 U.S.C. Section 1681a) of the timing, distribution, and content of the consumer notices.

Penalties: A person or business that intentionally fails to give notice in accordance with this section is subject to a fine of not more than $25,000 per breach of the security of the system (Mont. Code Ann. § 30-14-1706).

Claims Process:

• Notify your insurer within 24–72 hours of discovery (per your policy).
• Hire IT forensics and legal counsel.
• Submit all invoices and documentation for review.
• Work with regulators if required—including the AG if the 250-resident threshold for AG notification is met.

The price of cyber insurance for small businesses in MO depends on your industry, company size, past claims, and security practices.

Typical annual premiums:

• Small businesses (1–25 employees): $1,200 – $3,500
• Healthcare and retail: $5,000 – $15,000+
• Mid-sized tech firms: $3,500 – $9,000
• Large companies: $15,000+

Factors that affect cost:

• Cyber hygiene – Multi-factor authentication, staff training, firewalls = lower premiums
• Claims history – Past breaches raise costs
• Policy limits – Higher limits mean higher premiums
• Bundling – Adding cyber to your E&O or general liability policy can reduce cost

Compared to Iowa or Arkansas, Missouri cyber insurance tends to be slightly more expensive due to specific state-level regulations for certain industries (like insurance data security) and the potential for significant legal penalties under its breach notification law.

Mississippi’s breach notification statute (Miss. Code Ann. § 75-24-29) requires disclosure “without unreasonable delay,” subject to the completion of a good faith, reasonable, and prompt investigation to determine the nature and scope of the incident, to identify the affected individuals, or to restore the reasonable integrity of the data system. Notification is not required if, after this appropriate investigation, the person reasonably determines that the breach will not likely result in harm to the affected individuals.

Your 4-Step Claims Process:

1. Notify Your Insurer Immediately: Within 24–72 hours after breach discovery. Claim acknowledgment is due in 5 business days. For insurance licensees, notification to the Mississippi Department of Insurance (MID) is required as promptly as possible, but no later than 3 business days, for certain cybersecurity events involving nonpublic information.
2. Launch a Forensic Investigation: The cyber policy covers this, with an average cost of around $55,000. External IT experts will assess the breach impact, including whether unencrypted personal information was acquired.
3. Notify Victims: If notification is required, it must be to affected individuals whose unencrypted personal information was, or is reasonably believed to have been, intentionally acquired by an unauthorized person. Notice may be provided by written notice, telephone notice, or electronic notice (if consistent with E-SIGN or the primary means of communication). Substitute notice is allowed under specific conditions (e.g., costs exceed $50,000 or affected individuals exceed 100,000).
   • No State Agency Reporting for Private Businesses: Mississippi law (Miss. Code Ann. § 75-24-29) does not explicitly require private businesses to notify the Attorney General or consumer reporting agencies for general data breaches. However, other federal laws (e.g., HIPAA) may require such notifications.
4. Submit Documentation:
   • Forensic reports
   • Public relations/notification expense receipts
   • Proof of business interruption

Most policies include arbitration clauses for dispute resolution under Mississippi contract law. Failure to comply with the data breach notification law is considered an unfair trade practice under Miss. Code Ann. § 75-24-29(7), allowing the Attorney General to seek remedies, but there is no explicit civil penalty amount specified within that section.

If your business is hit by a cyberattack, Minnesota data breach law (Minn. Stat. § 325E.61) says you must notify affected customers “in the most expedient time possible and without unreasonable delay” following discovery or notification of the breach. This applies to unencrypted personal information. Notification may be delayed for legitimate law enforcement needs or measures to determine the scope of the breach and restore system integrity.

Step-by-step process:

1. Report the breach to your insurer: Do this within 24–72 hours after discovering the issue.
2. Start a forensic investigation: Your insurance will cover experts to assess what happened, including whether unencrypted personal information was acquired or is reasonably believed to have been acquired by an unauthorized person.
3. Notify affected individuals: This includes the breach summary, types of data exposed, and a contact number. Notice can be written, telephonic, or electronic. Substitute notice is allowed under specific conditions (e.g., cost exceeds $250,000, or affected class exceeds 500,000).
4. Notify credit reporting agencies: If a breach requires notification of more than 500 persons at one time, the business must also notify, within 48 hours of providing consumer notice, all nationwide consumer reporting agencies (as defined by United States Code, title 15, section 1681a) of the timing, distribution, and content of the notices.
5. Submit documentation: Send in forensic reports, notice copies, and proof of any lost income or legal bills.

Michigan’s Identity Theft Protection Act (MCL §445.72) outlines when and how you must notify people if their data is compromised. This applies to persons or agencies that own or license data that includes personal information about a Michigan resident, or those that maintain such data for another.

Required Steps (MCL §445.72):

• Investigate Promptly: Conduct a good faith, reasonable, and prompt investigation to determine if misuse of personal information has occurred or is reasonably likely to occur. Notification is not required if, after this investigation, it’s determined that the security breach has not or is not likely to cause substantial loss or injury to, or result in identity theft with respect to, one or more residents of this state.

• Notify Affected Individuals: Provide notice to the affected Michigan resident without unreasonable delay. Delay is permitted only if necessary to determine the scope of the breach and restore data integrity, or if a law enforcement agency advises delay to impede a criminal/civil investigation or national security.

• Content: Notice must be clear and conspicuous, including a general description of the breach, categories of information compromised, general description of remediation efforts, and a toll-free number/website for assistance, along with a reminder to remain vigilant for fraud.

• Method: Notice can be written (postal mail), telephonic (live conversation required unless certain conditions met), or electronic (if consent given or specific substitute notice conditions are met for larger breaches).

• Notify Consumer Reporting Agencies: If a security breach requires notification of more than 1,000 individuals at one time, the person or agency shall also notify, without unreasonable delay, all nationwide consumer reporting agencies (as defined in 15 USC 1681a(p)) of the timing, distribution, and content of the consumer notices.

• No Direct AG Notification (for private entities): Michigan law does not explicitly require private businesses to notify the Attorney General for general data breaches, unless other federal rules (e.g., HIPAA for breaches of Protected Health Information) apply.

Special Rules for Insurers (MCL §500.559 and §500.561):

• Submit Form FIS-2359 (Notice of Cybersecurity Event) to DIFS as promptly as possible, but not later than 10 business days after determining a cybersecurity event occurred involving nonpublic information, if it meets specific criteria (e.g., affecting 250+ Michigan consumers AND requiring notice to another government body, OR reasonably likely to materially harm a consumer/licensee’s operations).
• Annually certify compliance using Form FIS-2360 (Information Security Program Annual Certification) by February 15 each year.
• Maintain cybersecurity oversight at the executive level.

Penalties (MCL §445.72 for general breaches):

• Failure to provide notice: Civil fine of not more than $250 for each failure to provide notice, capped at $750,000 per security breach.

• Intentional failure to give notice: Misdemeanor punishable by imprisonment for not more than 93 days or a fine of not more than $250.00 for each violation, or both.

• Intent to defraud (by providing notice when no breach occurred): Misdemeanor punishable by imprisonment for not more than 93 days or a fine of not more than $250.00 for each violation, or both.

• Regulatory fines or license suspension for insurers (under MCL §500.561, civil fines of up to $1,000 per violation for certain acts or practices).

No law requires a company to carry cyber insurance—but if a breach happens, lacking it could lead to significant financial liability, bankruptcy, or contract cancellation.

Massachusetts requires businesses to act quickly and transparently.

If a breach occurs, and you own or license the data:

1. Investigate Immediately: Conduct a good faith, reasonable, and prompt investigation to determine if misuse of personal information has occurred or is reasonably likely to occur. Notification is not required if, after this investigation, it is determined there is no substantial risk of identity theft or fraud. This determination must be documented and retained for five years.
2. Notify Affected Individuals: You must provide notice to the resident as soon as practicable and without unreasonable delay. Notice should not be delayed because the total number of residents affected is not yet known; updated notice should be provided later.
   • Required Content for Consumer Notice: The notice must include the consumer’s right to obtain a police report, information on how to request a security freeze at no charge (and the necessary information to request it). If the incident involved a Social Security number, credit monitoring services must be offered at no cost for a period of not less than 18 months (or 42 months if the affected entity is a consumer reporting agency).
   • Prohibited Content for Consumer Notice: The notice must not include the nature of the breach or the number of Massachusetts residents affected by the security breach.
3. Notify the Attorney General and OCABR: Written notice must be given to the Attorney General and the Director of the Office of Consumer Affairs and Business Regulation (OCABR) as soon as practicable and without unreasonable delay after becoming aware of the breach. A sample copy of the consumer notice sent must be provided to both.
   • Required Content for AG/OCABR Notice: This notice must include (i) the nature of the breach, (ii) the number of residents affected, (iii) the name/address of the entity experiencing/reporting the breach, (iv) the type of personal information compromised, (v) whether the entity maintains a written information security program, and (vi) steps taken or planned relating to the incident.
4. Notify Consumer Reporting Agencies (via OCABR): The Director of OCABR will identify any relevant consumer reporting agency or state agency and forward their names to the notifying entity. The entity shall then, as soon as practicable and without unreasonable delay, also provide notice to these identified consumer reporting agencies. This avoids over-reporting and ensures only the appropriate agencies are contacted.

Also, most policies require that you notify your cyber insurance carrier within 24 to 72 hours to avoid coverage issues.

Penalties: Violations of M.G.L. Chapter 93H are often enforced under M.G.L. Chapter 93A (the Massachusetts Consumer Protection Act), which allows the Attorney General to seek civil penalties (e.g., up to $5,000 per violation for each willful or knowing violation), injunctive relief, and attorneys’ fees. Consumers may also seek actual damages or statutory damages (up to treble damages for willful/knowing violations).