812-314-6724 Remote Support Client Portal
Book a Consult

Insurance Ross Decker

FTC Safeguards and Your State's Data-Security Law: What Insurance Agencies Actually Have to Do in 2026

If you run an independent insurance agency, federal law considers you a “financial institution” — which means two overlapping sets of data-security rules now apply to you, both actively enforced in 2026. Most agencies we talk to are partially compliant at best, usually because they assume someone else — the carrier, the AMS vendor, the part-time IT person — is handling it. No one is.

Here’s what the rules actually require, in plain terms, and the specific places agencies get caught short.

Yes, these rules apply to you

The Gramm-Leach-Bliley Act (GLBA) classifies insurance agencies as financial institutions because you handle nonpublic personal information: Social Security numbers, driver’s license numbers, financial account details, dates of birth. That triggers the FTC’s Safeguards Rule at the federal level. Separately, if your state has adopted the NAIC Insurance Data Security Model Law (Model #668), your state department of insurance imposes its own requirements on every licensed producer, agent, and agency.

For agencies in Kentucky, Indiana, Ohio, and Tennessee, both layers apply. West Virginia has not adopted Model #668 as of 2026, so agencies there answer to the federal Safeguards Rule and the state’s general breach-notification law — but not an insurance-specific commissioner regime. If you write business across state lines, you’re effectively bound by the strictest state in which you hold appointments.

Layer one: the FTC Safeguards Rule (the federal floor)

The Safeguards Rule requires you to build and maintain a written information security program. The pieces that trip up agencies most often:

  • A designated qualified individual who owns the program by name — employee or outside provider, but someone specific.
  • A written risk assessment, documented and kept current — not carried around in your head.
  • Access controls and multi-factor authentication on every system that touches customer information. This explicitly includes your email and your agency management system.
  • Encryption of customer data at rest and in transit.
  • Written oversight of third-party providers who handle your data.
  • A written incident response plan.
  • Regular security awareness training for staff.
  • Ongoing monitoring, or annual penetration testing plus twice-yearly vulnerability assessments.

Since May 2024, the Rule also requires you to notify the FTC within 30 days of discovering a breach involving 500 or more consumers’ information — and that notification becomes public. There is no small-business exemption from breach notification.

Agencies holding information on fewer than 5,000 consumers are exempt from a few specific provisions (the written risk assessment, the written incident response plan, the continuous-testing requirement, and the annual report to leadership) — but not from the rest of the program, and not from breach notice. “We’re small” is not a compliance strategy. Penalties run up to roughly $51,744 per violation, per day, and the FTC has pursued non-bank financial institutions through 2025 and into 2026.

Layer two: your state’s NAIC #668 law (the overlay)

If your state adopted Model #668 — KY, IN, OH, and TN all have — you also owe your state insurance commissioner:

  • A written information security program scaled to your size and risk.
  • A risk assessment at least annually.
  • Third-party service-provider oversight.
  • An incident response plan.
  • Notice to the commissioner within 72 hours of a cybersecurity event.

That 72-hour clock is far faster than the federal 30-day one, and the two notifications are separate obligations — a single incident can trigger both. The small-entity carve-out is narrow: agencies under about 10 employees may qualify for limited exemptions, but only from some requirements. Ohio adds a wrinkle worth knowing: its law includes a safe-harbor provision that gives agencies a legal defense if they’ve built their program around a recognized framework like the NIST Cybersecurity Framework — a real incentive to do it right rather than improvise.

Where agencies actually get this wrong

The rules above are public. The failures are predictable, and they’re rarely about not caring — they’re about wrong assumptions:

  • “My carrier or AMS vendor handles security.” They secure their own platform. They don’t run your information security program, train your staff, or own your incident response. Carriers are increasingly conditioning appointments on proof that you do.
  • “We wrote a WISP once.” A program that never gets updated is worse than none — it’s documented evidence you knew the obligation and let it lapse.
  • No MFA on email and the AMS. The single most common gap, and the one that becomes the next bullet.
  • Treating wire fraud as a separate problem from compliance. The business email compromise that reroutes a premium payment and the Safeguards gap that let an attacker into the inbox are the same failure. Compliance done right is what keeps the wire from leaving.
  • Confusing cyber insurance with compliance. Your policy pays out after the fact; it doesn’t satisfy the Safeguards Rule — and carriers increasingly deny claims when required controls like MFA weren’t in place.
  • No one is ready for the clock. When something happens, the 72-hour and 30-day notices start immediately. Most agencies have never rehearsed who calls whom.

What “compliant” actually looks like

Compliance isn’t a binder on a shelf; it’s an operating posture. For a typical agency that means MFA everywhere that touches customer data, a named owner for the program, an annual documented risk assessment, email and AMS hardened against the phishing your team actually receives, written vendor oversight, an incident response plan with both notification clocks built in, and staff who recognize the wire-fraud attempt before it succeeds. Build it on a recognized framework and you pick up Ohio’s safe harbor along the way.

Where REAL fits

We build and run that program for agencies — assessing where you stand against both the Safeguards Rule and your state’s law, closing the gaps, and maintaining it as the rules change (Model #668 is already being amended for AI and third-party data). We know the systems agencies run — Applied Epic, AMS360, EZLynx, HawkSoft — and the wire-fraud and BEC tactics aimed squarely at premium transfers.

Our fully managed onsite service covers the Ohio Valley; we deliver cybersecurity, remote IT support, and security awareness training to agencies anywhere in the US.

See where your agency actually stands — book a Cyber Risk Consult, or take our free security assessment first.

Keep reading

Related guides & next steps

Cybersecurity & IT for insurance agencies

See how REAL secures and supports practices like yours, onsite and remote.

Wire Fraud and Business Email Compromise: How the Premium-Transfer Scam Works — and How Agencies Stop It

How business email compromise turns a premium transfer into a wire-fraud loss — and the controls that stop it. Built for independent insurance agencies.

REAL People. REAL Experience. REAL Solutions.

Book a 20-minute Cyber Risk Consult.

No pressure, no obligation — just a clear picture of where your practice stands.

Book a Cyber Risk Consult