On December 21, 2024, New York Gov. Kathy Hochul signed into law S2659-B/A8872-A, which, effective immediately, changed timing requirements for notice under New York's data breach notification law and expanded the list of state agencies to be notified of a breach. Hochul also signed legislation that, beginning on March 25, 2025, adds new data elements to New York's definition of "private information" requiring notice under New York law if accessed or acquired (S02376-B/A04737-B).
Notice Required Within 30 Days of Breach Discovery
As of December 21, 2024, individuals and businesses that own or maintain "private information" of New Yorkers must notify New Yorkers of a data breach (defined as the unauthorized access to or acquisition of "private information") no later than 30 days after discovering the breach, unless legitimate needs of law enforcement require delay.
Importantly, the needs of law enforcement are the only consideration that may delay the timing of notice. Language in the statute that may have granted additional time to determine the scope of the breach and restore the integrity of the system has been removed. The 30-day timing requirement is noteworthy, as the statute now prescribes a specific number of days within which to notify New Yorkers.
Additionally, any person or business that maintains private information of New Yorkers that they do not own must notify the owner or licensee of that information within 30 days of discovering a breach involving the New Yorkers' information. Here as well, the addition of the 30-day timing requirement is notable, as the prior iteration did not state a specific number of days within which notification must be made.
All Notices to NYDFS
The amendments that are effective on December 21, 2024, also require the notifying party to send the following to the New York Department of Financial Services (NYDFS) whenever a resident of New York is notified of a data breach:
- The timing, content and distribution of the notices
- The approximate number of affected persons
- A copy of the template of the notice sent to affected persons
The amendment does not address how the notice to NYDFS must be submitted. This information is already required to be submitted to the New York Attorney General, the Department of State and the Division of State Police, and is automatically and simultaneously submitted to all three agencies when the notice is submitted via the New York Attorney General's website. It is unknown whether this automatic submission will occur for NYDFS as well. Currently, NYDFS requires that cybersecurity event notifications be submitted via its portal, which in turn requires the use of an identifying number, such as a New York State License number, National Association of Insurance Commissioners (NAIC) or New York Entity number, Nationwide Mortgage Licensing System (NMLS) number or institution number. Because entities not supervised by NYDFS now are required to notify the department, and would not have such an identifying number, this may present a logistical issue with submitting notifications in compliance with New York's updated statute.
This notification obligation is in addition to the requirement for licensed entities to notify NYDFS pursuant to NYDFS' Cybersecurity Regulation, Part 500, which we discuss here.
Changes to the Definition of "Private Information"
New York law requires notification when private information is accessed or acquired without authorization. "Private information" is presently defined to include the following data elements:
- Social Security number
- Driver's license number or non-driver identification card number
- Account number or credit or debit card number, in combination with any required information that would allow access, or without such information if the number alone could be used to access an individual's financial account
- Biometric information
- A username or email address in combination with a password or security question and answer that would permit access to an online account
On March 25, 2025, two additional data elements will be added to the list:
- Medical information
- Health insurance information
"Medical information" means "any information regarding an individual's medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional." "Health insurance information" is defined to mean "an individual's health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual or any information in an individual's application and claims history, including, but not limited to, appeals history."
The laws enacted to give force to these amendments also amend New York's penal law to add medical information and health information to New York's criminal identity theft statutes.
These changes may expand obligations of organizations that are responding to cybersecurity and data security incidents while shrinking compliance timelines. Continuing efforts to minimize the amount of personal information collected and retained, as well as having a well-developed incident response plan practiced via tabletop exercise, can help reduce the risk of being out of compliance with these laws.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.