Cyber insurance premiums in South Dakota are generally lower than in heavily regulated states, but costs still vary based on size, industry, and security controls.

• Small Businesses (Under 10 Employees):
  • Premium: $1,200–$7,000 per year
  • Deductibles: Around $2,500
• Midsize Firms (10–100 Employees):
  • Premium: $2,500–$15,000 per year
  • Deductibles: $10,000–$50,000
• Large Enterprises:
  • Premium: $25,000+ annually
  • Higher coverage limits and optional extensions

Discounts are available for businesses that:

• Use multi-factor authentication (MFA).
• Encrypt sensitive data at rest and in transit.
• Train staff in basic cybersecurity hygiene.
• Have gone five years without a claim.
• Bundle cyber coverage with general liability or E&O insurance.

The cost of cyber insurance in South Carolina depends on your business size, industry, and security practices.

Average premiums:

• Small businesses (<10 employees): $1,200–$3,000 per year
• Midsize firms (10–100 employees): $2,500–$15,000 per year
• Larger businesses: $25,000+ annually, with higher coverage needs

Ways to lower your premium:

• Use multi-factor authentication (MFA).
• Run staff training on cyber safety.
• Encrypt customer and employee data.
• Avoid past cyber insurance claims.
• Bundle with other business policies.

South Carolina rates are generally lower than national averages, but rural areas face slower response times and fewer IT resources, which can increase risks.

Cyber insurance cost in Rhode Island depends on your business size, risk profile, and data exposure.

Estimated Annual Premiums:

• Small Businesses (<10 employees): $1,200–$7,000
• Midsize Firms (10–100 employees): $2,500–$15,000
• Large Enterprises: $25,000+

Deductibles average around $2,500 for small businesses, with higher amounts for larger operations.

Discounts May Apply If You:

• Use multi-factor authentication (MFA).
• Conduct phishing training for employees.
• Encrypt all stored and transmitted data.
• Have a clean claims history.
• Bundle cyber with general liability or E&O coverage.

Compared to Massachusetts or Connecticut, Rhode Island premiums are mid-range, with similar breach laws and reporting thresholds.

Pennsylvania lawmakers are moving to strengthen data privacy and business accountability. Key developments:

• December 11, 2023: The Pennsylvania Insurance Data Security Act (40 Pa. C.S.A. § 4501 et seq.) went into effect, requiring insurance licensees to implement information security programs and report cybersecurity events.
• September 26, 2024: Significant amendments to the BPINA (73 P.S. § 2301 et seq.) became effective (via SB 824), lowering thresholds for AG/CRA notification (from 1,000 to 500 individuals), expanding definitions of personal information, and mandating 12 months of free credit monitoring for certain data breaches.
• 2025 (Proposed Legislation, SB 378): New privacy rules (e.g., Senate Bill 378, the “Student Data Protection Act”) continue to be introduced for K–12 vendors and potentially other educational entities. These laws are driving more schools and tech providers to carry cyber insurance.
• Proposed Legislation (e.g., HB 2147 in previous sessions): Proposed legislation has been introduced that would require IT contractors and vendors working with public agencies to carry active cyber insurance coverage Pennsylvania. This indicates ongoing legislative interest in this area.

Although Pennsylvania has not passed a sweeping comprehensive consumer data privacy act like California’s CCPA, enforcement of data breach laws is increasing every year.

If your company experiences a breach involving personal data, you must follow Oregon data breach law (ORS 646A.604):

Legal Requirements:

• Notify affected individuals within 45 days
• Notify the Attorney General if more than 250 residents are affected
• Maintain records of all breach response actions

Violating these laws can lead to state fines, lawsuits, and enforcement by the Oregon Department of Justice.

New Privacy Obligations Under the OCPA:

Businesses that meet OCPA thresholds must also:

• Honor consumer requests to access or delete their data
• Provide clear opt-out tools for targeted advertising
• Disclose data sharing and processing practices

These rules apply to many small businesses and nonprofits if they handle large amounts of personal data.

The Oklahoma Security Breach Notification Act (24 O.S. §§161–166) applies to individuals or entities that own or license computerized data that includes “personal information” about an Oklahoma resident. It was significantly amended by SB 626, effective January 1, 2026.

Key Requirements & Updates:

1. Definition of “Personal Information” (Amended by SB 626):
   • Expands to include biometric data (e.g., fingerprints, retina scans) and unique electronic identifiers/routing codes when combined with security credentials that permit access to an individual’s financial account.
   • Still applies to an individual’s first name or first initial and last name in combination with unencrypted or unredacted Social Security number, driver’s license, or financial account information (with access code/password).
2. Definition of “Breach of Security” (Amended by SB 626):
   • Includes unauthorized access to and acquisition of unredacted or unencrypted personal information, or encrypted information accessed in an unencrypted form, or if the breach involves a person with access to the encryption key.
   • Also broadened to include “unauthorized utilization of computerized data” that compromises integrity, confidentiality, or availability of PII, with certain factors to consider (e.g., indications a cybersecurity incident occurred).
3. Duty to Investigate & Determine Harm:
   • Required to disclose if unencrypted or unredacted personal information was accessed and acquired, and the entity reasonably believes misuse has caused or will cause identity theft or other fraud.
   • Notification is not required if, after a good faith, reasonable, and prompt investigation, it’s determined misuse of personal information has not occurred and is not reasonably likely to occur. This determination must be documented.
4. Notify Affected Individuals:
   • Disclosure must be made “in the most expedient time possible and without unreasonable delay.”
   • Delay is permitted only if a law enforcement agency determines it will impede a criminal or civil investigation or homeland/national security. Notification must then be made without unreasonable delay after law enforcement advises.
   • Content (Amended by SB 626): Notices should include the date of the breach, the date of its determination, the nature of the breach, type of personal information exposed, number of residents affected, estimated monetary impact of the breach, and any reasonable safeguards employed.
   • Methods: Mail, telephone, or electronic (consistent with E-SIGN). Substitute notice allowed under specific conditions.
5. Notify Oklahoma Attorney General (New Requirement, SB 626, effective Jan 1, 2026):
   • Required if the data breach affects 500 or more Oklahoma residents, or 1,000 or more Oklahoma residents in the case of a data breach at a credit bureau.
   • Notification to the AG must be provided within 60 days after providing notice to impacted residents.
6. Notify Consumer Reporting Agencies:
   • If a security breach requires notification to more than 1,000 residents at one time, the business must also notify, without unreasonable delay, all major consumer credit reporting agencies (as defined in 15 U.S.C. Section 1681a) of the timing, distribution, and content of the consumer notices.

Penalties (Amended by SB 626):

• Failure to use “reasonable safeguards” can result in a civil penalty of $75,000 if breach notification requirements are met.
• If notification requirements are not met, the higher civil penalty cap of $150,000 applies.
• Entities using “reasonable safeguards” and providing proper breach notifications will not be subject to civil penalties and will have an affirmative defense.
• Violations may also be subject to the Oklahoma Consumer Protection Act.

Your insurer typically requires you to report a breach within 24 to 72 hours of discovery. Be ready to provide incident logs, forensic reports, proof of notification letters, and details of costs and damages.

If your claim is denied, most policies require arbitration before filing a lawsuit. All Oklahoma insurers must also comply with Title 36’s fair claims handling rules.

Ohio-Specific Legal Obligations

Insurance Industry Cybersecurity Event Reporting Under Ohio Revised Code Chapter 3965, covered licensees must notify the Ohio Department of Insurance within three business days when cybersecurity events meet specific thresholds:

• Events where Ohio is the licensee’s domicile state and notice is required to residents
• Events with reasonable likelihood of materially harming consumers or normal operations
• Events affecting personal information of 250 or more Ohio consumers

General Data Breach Notification Requirements Ohio businesses must provide timely notification to affected individuals when personal information is compromised in a manner that creates risk of identity theft or fraud.

Insurance Claim Response Process

Immediate Incident Notification Contact your cyber liability insurance carrier as soon as you become aware of a potential cyber incident. Many policies require notification within 24-48 hours to ensure coverage eligibility and coordinate response efforts.

Coordinated Investigation and Response Insurance carriers typically work with specialized cybersecurity firms and legal counsel to:

• Conduct forensic analysis to determine incident scope and impact
• Develop containment strategies to prevent further damage
• Coordinate regulatory notifications and compliance requirements
• Manage communications with affected parties and media

Recovery and Business Continuity Support

Operational Restoration Assistance Cyber liability policies often provide resources to help maintain business operations during recovery, including:

• Alternative processing arrangements and technology resources
• Temporary staffing for critical business functions
• Emergency communication systems for customer and vendor coordination
• Reputation management and public relations support

Immediate Response Requirements

Notification Obligations Under North Dakota law, businesses must notify affected residents “without undue delay” when personal information is compromised. The notification must include:

• Description of the incident and types of information involved
• Steps taken to investigate and secure systems
• Contact information for individuals with knowledge of the breach
• Recommendations for protective measures residents can take

Insurance Company Notification Contact your cyber liability insurance carrier immediately upon discovering a potential incident. Many policies require notification within specific timeframes to ensure coverage eligibility.

Investigation and Documentation Process

Forensic Analysis Insurance carriers typically coordinate with specialized cybersecurity firms to:

• Determine the scope and nature of the security incident
• Identify affected systems and compromised information
• Preserve evidence for potential legal proceedings
• Develop containment and remediation strategies

Regulatory Reporting For insurance industry licensees, North Dakota requires reporting to the Insurance Commissioner within three business days when cybersecurity events meet specific thresholds involving material harm to consumers or affecting multiple state residents.

Recovery and Restoration Support

Business Continuity Assistance Cyber liability policies often provide resources to help maintain operations during recovery, including:

• Alternative processing arrangements
• Emergency technology rentals
• Temporary staffing for critical functions
• Communication support for customer notifications

If your business experiences a cyber event, move quickly. Most policies require you to notify the insurer within 24–72 hours.

Under the NC Data Breach Notification Law (N.C. Gen. Stat. § 75-65), for any business that owns or licenses personal information about residents of North Carolina:

1. Definition of Personal Information: An individual’s first name or first initial and last name in combination with identifying information (Social Security number, driver’s license, financial account numbers with access codes, digital signatures, biometric data, passwords, etc.). It generally excludes publicly available information and certain email/Internet account info unless it allows financial access.
2. Definition of Security Breach: An incident of unauthorized access to and acquisition of unencrypted and unredacted records or data containing personal information where illegal use of the personal information has occurred or is reasonably likely to occur or that creates a material risk of harm to a consumer. It also includes unauthorized acquisition of encrypted data along with the confidential process or key.
3. Investigate & Determine Harm: Conduct a good faith, reasonable, and prompt investigation to determine if misuse has occurred or is reasonably likely to occur. Notification is not required if, after this investigation, it is determined that misuse has not occurred and is not reasonably likely to occur. This determination must be documented.
4. Notify Affected Individuals: You must notify people “without unreasonable delay,” consistent with legitimate law enforcement needs or measures necessary to determine the breach’s scope and restore data integrity.
   • Permitted Delay: Notice may be delayed if a law enforcement agency determines that notification may impede a criminal investigation or jeopardize national/homeland security.
   • Methods: Written notice, electronic notice (consistent with E-SIGN), or substitute notice (if cost exceeds $250,000 or affected class exceeds 500,000).
   • Content: The notice must explain the incident in general terms, the type of personal information compromised, general acts of the business to protect the information, a telephone number for assistance, and advice to remain vigilant by reviewing account statements and monitoring free credit reports (including toll-free numbers and addresses for major consumer reporting agencies).
5. Notify Attorney General: In the event a business provides notice to an affected person, the business shall notify without unreasonable delay the Consumer Protection Division of the Attorney General’s Office of the nature of the breach, the number of consumers affected, steps taken to investigate, and remediation efforts.
6. Notify Consumer Reporting Agencies: In the event a business provides notice to more than 1,000 persons at one time, the business shall notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis.

Though there’s no hard deadline in the law, best practices often suggest quicker action, such as 30 days. Failing to act fast could lead to legal trouble. In 2023, while no specific public fine was widely reported for a North Carolina hospital solely for delay in reporting, HIPAA violations (which can include delayed reporting) have led to fines.

If there’s a dispute with your insurer, North Carolina’s unfair claims law (§58‑63‑15) protects your right to a fair resolution.

Pricing depends on your business size, risk profile, and location.

Estimated Annual Premiums:

• Small Business (<25 employees): $750–$3,500 (Coverage: $1M–$5M; Deductible: $1K–$15K). NYC-based companies may pay 25–40% more.

• Mid-Sized Business (25–500 employees): $3,500–$20,000+ (Risk exposure, past incidents, and controls affect pricing).

• Large Enterprises / Financial Institutions: $50,000–$1M+ (Many carry $100M–$500M in limits; deductibles can exceed $500K for Wall Street firms).

Tip: DFS-regulated entities may receive discounts by conducting annual penetration tests, using MFA, and implementing board-level oversight, among other robust security controls.

Explore the role of technology in workers’ compensation and how it can strengthen your company’s protection approach.