Governor Kathy Hochul signed several bills last month designed to strengthen protections for the personal data of consumers. One of those bills (S2659B) makes important changes to the notification timing requirements under the Empire State's breach notification law, Section 899-aa of the New York General Business Law. The bill was effective immediately when signed, or December 21, 2024.
All fifty states have enacted at least one data breach notification law. Some states, such as California, have more than one statute – a generally applicable statute and one applying to certain health care entities. Over the years, many of these states have updated their laws in different respects. For example, some have expanded the definition of personal information, resulting in broader categories of personal information triggering a potential notification requirement if breached. Others have added requirements to notify one or more state agency. While some states have modified the specific notification requirements, such as the timing of notification. That is one of the changes New York made to its law.
Prior to the change, a business subject to the New York statute that experienced a covered breach would be required to provide notification to affected individuals:
in the most expedient time possible and without unreasonable delay.
There was no outside time frame by which the notice must be provided. The bill added a 30 day deadline. So, now, the law requires the breached entity to provide notification
in the most expedient time possible and without unreasonable delay, provided that such notification shall be made within thirty days after the breach has been discovered
Notably, prior to the change, the law excluded from this timing requirement the legitimate needs of law enforcement and "any measures necessary to determine the scope of the breach and restore the integrity of the systems." The legitimate needs of law enforcement exception remains in the law, determining the scope of the breach and restoring system integrity do not.
S2659B also made a change to the state agencies that must be notified in the event of a breach under the statute. Under the prior law, if any New York residents were to be notified under the State's breach notification law, the state attorney general, the department of state and, the division of state police all needed to be notified. The new law adds the Department of Financial Services to the list.
With breach notification requirements under federal law, the laws in all states and several localities, and increasingly embedded in contract obligations, it can be difficult stay up to date, particularly if the company is in the middle of handling the breach. In addition to it being required in some scenarios, this is one more reason why we recommend maintaining an incident response plan. Such a plan is a good place to track these kinds of developments for the company's incident response team.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
