image
Listen to this post

Keypoint: New York has amended its data breach notification law twice in the last 60 days to (1) add a 30-day deadline for notifying affected residents, (2) clarify that covered financial entities must still notify the New York Department of Financial Services (NYDFS) in accordance with existing NYDFS cybersecurity regulations, and (3) expand the prior definition of “private information” to include medical and health insurance information.

In the last sixty days, the New York legislature twice amended its data breach notification law. In the below article, we discuss the amendments and takeaways for covered businesses.

A Shorter Notification Deadline for the Private Sector

The NY legislature amended General Business Law § 899-aa, the state’s private-sector data breach notification law in December 2024, and has since enacted a second amendment to clarify which types of businesses must provide updates to the New York Division of Financial Services (NYDFS).

The December 2024 amendment (underlined text below) requires businesses that suffer a breach to inform affected residents in the most expedient time possible and without unreasonable delay, provided that such notification is within thirty days after the breach has been discovered. The amendment also eliminated allowances to delay notification while the businesses assessed the scope of the breach or restored system integrity. The amended law still allows notification delays for legitimate law enforcement purposes.

The December amendment adds (underlined text below) a similar outer limit to the notification deadline for businesses that are processing or servicing data on behalf of other companies. A business that experiences a data breach on its systems but does not own the data must inform the data owner immediately, provided that notification is made within 30 days following the discovery of the breach. 

These 30-day deadlines went into effect immediately, and they put companies subject to New York law on the same timeline as companies subject to Colorado, Florida, and Washington law, which also have 30-day deadlines to notify their residents.

New York agencies, however, are not bound by the 30-day deadline. State agencies must notify affected individuals in the most expedient time possible and without unreasonable delay. This time frame can take into account the needs of law enforcement or measures necessary to determine the scope of the breach and restore data system integrity.

Covered Financial Entities Must Still Update NYDFS per its Cybersecurity Regulations (after a second amendment was passed)

Under the original breach notification law, every business that is required to notify affected NY residents must also notify the following NY government entities – the Attorney General, the Department of State, and the State Police. Those requirements were not changed in the December amendment, but a requirement was added for all businesses to notify NYDFS. See NY Senate Bill S2659B. The new requirement for all business types to notify NYDFS apparently had broader application than the legislature intended. On February 14, 2025, the Governor signed a second amendment to GBL § 899-aa, clarifying precisely which types of businesses had to notify NYDFS of a data breach, and when those notifications were required. See NYSenate Bill S804.

The February amendment added language to subdivision (8) of GBL § 899-aa, specifying that only those businesses that are defined as covered entities under NYDFS regulations must report breaches to NYDFS, and such notification to NYDFS will be made in accordance with the existing NYDFS cybersecurity regulations.[1]

A Broader Definition of “Private Information” for the Private Sector and State Agencies

The amendments also expanded the state’s definition of “private information” to include medical and health insurance information. Starting March 21, 2025, the scope of “private information” that would trigger a notification requirement will expand to include sensitive health-related data. Specifically, the new definition will cover:

  • Medical information, such as an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a healthcare professional; and
  • Health insurance information, including policy numbers, subscriber identification numbers, unique identifiers used by health insurers, and information in an individual’s application, claims, or appeals history.

The expanded definition of private information applies to the notification obligations for private sector entities and state agencies.

For the private sector, this expanded definition means that breaches involving medical or health insurance information will not only trigger federal notification requirements under the Health Insurance Portability and Accountability Act (HIPAA), but these breaches will trigger additional obligations under New York law. For HIPAA-regulated entities, the deadline to notify NY residents will be 30 days as opposed to 60 days under HIPAA.

Takeaways

Businesses should review and update their incident response plans and data security policies to account for New York’s shorter deadline and the expanded definition of private information that would start the clock for that deadline.

New York is one of several states where the data breach notification laws operate alongside federal laws regulations such as HIPAA and its Breach Notification Rule, and the Federal Trade Commission’s Health Breach Notification Rule. While these parallel requirements do not require duplicative notifications to be sent to affected individuals, these overlapping legal obligations do mandate that businesses notify the applicable state regulators along with their federal counterparts. 

[1] The NYDFS cybersecurity regulations have a 72-hour deadline for covered financial entities to report a cybersecurity incident, and a 24-hour deadline to report an extortion/ransom payment. 23 NYCRR Part 500.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Erik Dullea Erik Dullea

As head of Husch Blackwell’s Cybersecurity practice group, Erik assists clients in all aspects of cybersecurity and information security compliance and data breach response. Erik previously served as the acting deputy associate general counsel for the National Security Agency’s cybersecurity practice group before…

As head of Husch Blackwell’s Cybersecurity practice group, Erik assists clients in all aspects of cybersecurity and information security compliance and data breach response. Erik previously served as the acting deputy associate general counsel for the National Security Agency’s cybersecurity practice group before returning to the firm in 2023.

Read more about Erik DulleaErik's Linkedin Profile
Show more Show less
Photo of Matti Mortimore Matti Mortimore

Matti offers practical solutions to corporate matters.

After earning a graduate degree in philosophy, Matti wanted a career where he could offer practical help: as much as he enjoyed his original field, he wanted the opportunity to give clients clear solutions to their

Matti offers practical solutions to corporate matters.

After earning a graduate degree in philosophy, Matti wanted a career where he could offer practical help: as much as he enjoyed his original field, he wanted the opportunity to give clients clear solutions to their business problems. Matti was also drawn to the people-driven nature of law and business.

Matti’s research had focused heavily on economics, and his interest in markets translated into an enthusiasm for corporate, transactional, and securities matters. He is passionate about the ways businesses generate social wealth, and he loves the opportunity to help businesspeople grow their companies and contribute to their communities.

As a summer associate with Husch Blackwell, Matti assisted a variety of teams, including healthcare, real estate, litigation, corporate, and the newly established psychedelics practice group. He joined the firm as a full associate in 2023 and currently supports clients throughout the corporate transaction process.

At his core, Matti believes in truly understanding each client and their goals. He prioritizes genuine relationships built on trust and consideration, and he strives for complete client satisfaction. Matti embodies responsibility, consistently delivers on his promises, and is committed to serving clients as a trusted partner.

Read more about Matti MortimoreMatti's Linkedin Profile
Show more Show less
Photo of Maddie Kincaid Maddie Kincaid

Maddie represents clients in complex commercial litigation matters. Maddie’s interest in litigation was sparked through undergraduate and law school mock trial. She found the process of preparing for trial and advocating in front of a jury exhilarating. Trial reminded her of her days

Maddie represents clients in complex commercial litigation matters. Maddie’s interest in litigation was sparked through undergraduate and law school mock trial. She found the process of preparing for trial and advocating in front of a jury exhilarating. Trial reminded her of her days growing up as an athlete, running track and playing competitive soccer, where hard work, preparation, adaptability, and a competitive drive were key. She realized that these same qualities would make her a successful litigator.

Read more about Maddie Kincaid
Show more Show less
Related Posts
AdobeStock_259663909
The Federal Communications Commission Updates its 2007 Breach Disclosure Regulations
January 4, 2024
 Supreme Court to Hear Case With Large Potential Impact for Data-Breach Litigation
December 21, 2020
Credit Cards_133940552
Credit Cards
 Breach Report in Capital One Litigation Not Privileged
June 3, 2020