Data Security & Compliance Roadmap
INTERNAL · v1.0
FOR DEVELOPER & COUNSEL
NOT LEGAL ADVICE
Purpose
Prevent collects sensitive personal and financial data — especially through the Free Policy Review upload. This roadmap outlines the laws that apply and the technical and organizational controls needed to comply and protect customers. It is a starting checklist to work through with a qualified attorney and a security professional — not a substitute for either.
Two specialists are required. A website design cannot make an organization compliant. You need (1) an insurance-specialized attorney to confirm obligations in each state you operate, and (2) a developer / security professional to implement and maintain the technical controls. This document helps you brief both.
1. Laws that likely apply to Prevent
GLBAFederal
The Gramm-Leach-Bliley Act governs how financial institutions — including insurance agencies — handle nonpublic personal information. Requires a privacy notice and a written information security program.
FTC Safeguards RuleFederal
Requires a documented information security program with specific elements: a qualified person in charge, risk assessments, access controls, encryption, multi-factor authentication, monitoring, and a written incident response plan.
NAIC Model LawState (adopted)
The Insurance Data Security Model Law has been adopted by many states. It mandates a written information security program, board/management oversight, third-party vendor oversight, and prompt breach notification to the insurance commissioner.
State data lawsMA, CT, RI, NH, ME, NJ, FL
Each state where Prevent is licensed has its own data-protection and breach-notification statutes. Massachusetts (201 CMR 17.00) and Connecticut are notably strict, requiring a Written Information Security Program (WISP), encryption of personal data in transit and on portable devices, and specific breach timelines.
Action: Have counsel produce a single chart mapping each of your seven states' requirements, then build to the strictest common denominator so one program covers them all.
2. Technical controls (for your developer)
Protecting data in transit & at rest
HTTPS / TLS everywhere — valid certificate, HTTP redirected to HTTPS, modern TLS only.
Encrypt uploads at rest — policy documents stored encrypted (e.g., AES-256), not in a public bucket or plain web folder.
Secure upload pipeline — files scanned for malware, size/type validated server-side, stored outside the web root with no public URLs.
Access & identity
Multi-factor authentication on every staff/admin account.
Role-based access — staff see only the data they need; access logged and reviewed.
Strong secrets management — no API keys or passwords in front-end code or source control.
Operations
Encrypted backups with tested recovery.
Logging & monitoring for unusual access; alerts configured.
Patch management — keep servers, frameworks, and dependencies updated.
Reputable hosting — a provider that will sign a data-processing / business-associate-style agreement and offers compliance documentation.
On the current prototype: the website you've seen is a front-end design. The contact form, Free Policy Review upload, and AI chat are demonstrations — they do not yet transmit or store data on a secure backend. Implementing the controls above is the engineering work required before collecting any real customer data.
3. Organizational controls (for the agency)
Written Information Security Program (WISP) — the core document several laws require; counsel + security pro draft it together.
Designated security lead — a named person accountable for the program.
Annual risk assessment — identify and document risks and mitigations.
Vendor oversight — contracts requiring service providers to protect data.
Staff training — phishing awareness and secure-handling practices.
Incident response plan — written steps and state-specific breach-notification timelines.
Data retention & secure disposal schedule.
Cyber liability insurance — in addition to E&O, to cover breach response costs.
4. Suggested sequence
Phase 1 — Before collecting any real dataEngage counsel + security pro. Stand up HTTPS, secure hosting, encrypted upload + storage, MFA, and a published privacy notice. Draft the WISP and incident response plan.
Phase 2 — At launchTurn on logging/monitoring and backups. Train staff. Put vendor agreements in place. Confirm consent capture (the unchecked, required checkbox at upload) is logged.
Phase 3 — OngoingAnnual risk assessment, patch cadence, access reviews, and program updates as laws and services change.
This roadmap is an internal planning aid prepared alongside the Prevent Insurance Agency website. It is informational only and is not legal, regulatory, or cybersecurity advice. Specific obligations vary by state and by how the business operates. Engage a licensed attorney and a qualified information-security professional to assess your requirements and implement, validate, and maintain appropriate safeguards before collecting real customer data.