ARTICLE
9 January 2025

New York Modifies Data Breach Law Heading Into 2025

SM
Sheppard Mullin Richter & Hampton

Contributor

Sheppard Mullin is a full service Global 100 firm with over 1,000 attorneys in 16 offices located in the United States, Europe and Asia. Since 1927, companies have turned to Sheppard Mullin to handle corporate and technology matters, high stakes litigation and complex financial transactions. In the US, the firm’s clients include more than half of the Fortune 100.
As 2024 came to a close, New York Gov. Hochul signed two bills (A8872A and S2376B) amending New York's data breach law.
United States New York Privacy

As 2024 came to a close, New York Gov. Hochul signed two bills (A8872A and S2376B) amending New York's data breach law. The modifications change both what constitutes personal information under the law, as well as modifying notification timing. The notice modification is now in effect; the change to the definition of personal information does not take effect until March 21, 2025.

As amended, companies will now have 30 days from discovery of a breach to notify impacted individuals. Previously, the law required notice to individuals "in the most expedient time possible and without reasonable delay." The regulator to notify has also changed. Previously, businesses needed to provide notice to the NY Attorney General, the Department of State, and the Division of State Police. A fourth group has been added. Now notice must also be sent to the New York Department of Financial Services. Notification to each agency can be done via form on the New York AG website.

The law's definition of personal information has been expanded to include both medical information and health insurance information. New York joins a growing list of states to include these elements in their breach laws.

Putting it into Practice: For those who keep a running list of notification timing, they will need to add this New York change to their list. New York also adds a regulatory authority to its notification list. Keep in mind the expended definition of personal information for assessing breaches this year.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More