Changes to New York’s Data Breach Notification Law

Blog Post

In late December 2024, New York Governor Kathy Hochul signed two bills (S2659B and S2376B) to amend certain aspects of New York’s Data Breach notification law, N.Y. Gen. Bus. Law § 899-aa.

The changes outlined in S2659B went into effect on December 21, 2024. The amendment requires a person or business who maintains private information for New York residents to notify such residents within 30 days upon discovering a breach of private information. The amendment also requires, for example, vendors that maintain New York private information on behalf of another person or business to notify that person or business within 30 days upon discovering a breach of private information. Prior to the change, an entity subject to the statute would have been required to provide notification to affected individuals “in the most expedient time possible and without unreasonable delay.” New York joins a handful of states who have the strictest timeline to notify individuals of a data breach in the United States. Notably, the prior law excluded from the timing requirement “the legitimate needs of law enforcement” or “any measures necessary to determine the scope of the breach and restore the integrity of the system.” In the amended law, the law enforcement exclusion remains, while the “determine the scope of the breach and restore the integrity of the system” exclusion does not.

The legislation also adds another state agency that must be notified in the event of a data breach. Under the prior law, when New York residents were notified, entities were also required to notify the New York Attorney General, Department of State, and Division of State Police. The amendment requires entities to also notify the Department of Financial Services.

The changes outlined in the second bill, S2376B, expand the categories of private information to encompass medical and health insurance information, which will now trigger notifications to individuals and regulators under the breach notification statute. The changes outlined under this bill do not take effect until March 21, 2025.

These are significant changes to the current data breach legislation that will affect how organizations respond to cybersecurity incidents. Organizations should consider creating and/or updating their incident response plans to track these and other changes to existing legislation.

If you have any questions about your company’s compliance with cyber regulations, concerns about vulnerability to attacks or other breaches, or if you want to learn more about proactive cybersecurity defense, contact a member of McDonald Hopkins’ national data privacy and cybersecurity team.

Jump to Page

McDonald Hopkins uses cookies on our website to enhance user experience and analyze website traffic. Third parties may also use cookies in connection with our website for social media, advertising and analytics and other purposes. By continuing to browse our website, you agree to our use of cookies as detailed in our updated Privacy Policy and our Terms of Use.