In late December 2024, the New York Governor signed two bills (S2659B and S2376B) amending the state’s data breach notification law (N.Y. Gen. Bus. Law § 899-aa), to expand the definition of reportable personal information and impose new covered entity reporting obligations in the event of a data breach.
Effective immediately, companies will have 30 days from discovery of a covered breach to notify affected state residents, whereas the law previously required only that notice be made in “the most expedient time possible and without unreasonable delay.” The amendments further removed “measures necessary to determine the scope of the breach and restore system integrity” from a company’s timing consideration for notice to affected individuals.
Companies that experience a covered breach will also now be required to notify the New York Department of Financial Services (DFS), in addition to the existing obligation of notifying the state attorney general, the department of state, and the division of state police. Notably, notice to DFS will be required even if the company is not licensed in the state.
Finally, the amendments expand the law’s definition of “private information” to encompass medical and health insurance information, which will now trigger notice to regulators and individuals if compromised.
While the law’s new notice obligations took effect on December 21, 2024, the modification to what constitutes reportable personal information will not take effect until March 21, 2025. Companies should review their incident response plans to ensure compliance with these changes.
