Legacy Core™

Regulatory context

Insurance Agencies (California)

Licensed California insurance agents and brokers

Binding framework

California breach notification (Cal. Civ. Code § 1798.29 / § 1798.82); CCPA/CPRA if revenue and data thresholds are met; CDI licensing rules

California insurance agents face state breach-notification and privacy obligations, but California has not adopted the NAIC Insurance Data Security Model Law (#668) that applies in roughly 28 other states.

Key obligations (summary)

  • California data breach notification when personal information is compromised
  • CCPA privacy and security obligations when statutory thresholds apply
  • CDI email and license disclosure requirements for licensed agents

How Legacy Core fits

Legacy Core helps agents demonstrate documented cybersecurity readiness to carriers and clients. It does not satisfy NAIC Model #668 (not California law) or replace carrier security questionnaires.

Do not claim

  • · NAIC Model Law #668 is current law in California
  • · Legacy Core satisfies NAIC ISP requirements

Primary sources

Confidence: HIGH. Last reviewed 2026-07-13.

Boundary

What a Legacy Core credential does not attest to

A Trust Badge documents demonstrated readiness against a dated Standards Release (assessment basis: NIST CSF 2.0 and CIS Controls v8). It is not a substitute for industry-specific legal or regulatory obligations.

  • FTC Safeguards Rule or WISP compliance (CPAs / tax preparers)
  • HIPAA compliance or OCR audit readiness (medical / dental)
  • ABA or State Bar ethics sign-off (attorneys)
  • SEC Regulation S-P compliance (investment advisers)
  • NAIC Insurance Data Security Model Law (including in California — not adopted)
  • CCPA cybersecurity audit certification (threshold-gated regulation)
  • Cyber insurance approval or claim guarantee
  • Penetration test, SOC 2, CMMC, or government endorsement

Legacy Core is aligned with NIST CSF 2.0 and CIS Controls v8. Legacy Core is not affiliated with, endorsed by, or accredited by NIST, CIS, or any government agency. Tracking a framework does not constitute a determination of legal or regulatory compliance.

Industry-specific obligations by vertical: Regulatory context guides

Insurance Agencies (California) — Regulatory Context | Legacy Core | Legacy Core