47 views 2 mins 0 comments

Tick Tock: You now have less than 30 days from discovery of a breach to notify New Yorkers

In Legal News
January 04, 2025

New York’s Governor Hochul signed two bills into law in December that modify New York’s breach notification law. One that has already gone into effect replaces the “in the most expedient time” type of language with an actual deadline of 30 days from discovery of a breach but retains an exception for the legitimate needs of law enforcement.

The second expands the definition of “personal information” to protect medical and health insurance information under identity theft law. That will go into effect on March 21, 2025.

Entities notifying New York of a breach will now also have a fourth agency that they must submit notification to: the New York Department of Financial Services.

Joseph Lazzarotti of Jackson Lewis explains:

Governor Kathy Hochul signed several bills last month designed to strengthen protections for the personal data of consumers. One of those bills (S2659B) makes important changes to the notification timing requirements under the Empire State’s breach notification law, Section 899-aa of the New York General Business Law. The bill was effective immediately when signed, or December 21, 2024.

All fifty states have enacted at least one data breach notification law. Some states, such as California, have more than one statute – a generally applicable statute and one applying to certain health care entities. Over the years, many of these states have updated their laws in different respects. For example, some have expanded the definition of personal information, resulting in broader categories of personal information triggering a potential notification requirement if breached. Others have added requirements to notify one or more state agency. While some states have modified the specific notification requirements, such as the timing of notification. That is one of the changes New York made to its law.

Read more at JDSupra.

Related Resource:

The  National Conference of State Legislatures provides links to each state’s data breach notification laws as they apply to both private entities and government agencies. The listings are current despite something suggesting the resource was last updated in 2022. A check today shows the new New York State requirements are already included.