Updates to New York’s Data Breach Notification Law Explained

In December 2024, New York Governor Kathy Hochul signed two bills amending the state’s current data breach notification law. Senate Bill S2659B and Assembly Bill A8872A aim to strengthen data breach notification requirements, enhance transparency, safeguard consumer data, and hold businesses accountable for breaches. These amendments apply to New York’s previous data breach notification law, expanding the defined qualifications of what is considered a notifiable data breach and establishing more specific guidelines for notifying consumers and government agencies of these breaches.

What has changed?

S2376B: Changes to private information categories

S2376B is in effect as of March 21, 2025. It focuses on broadening the categories of qualified private information that businesses are required to address if a data breach occurs.

• Medical information: The law defines medical information as “any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional.”
• Health insurance information: Health insurance information is defined as “an individual's health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual, or any information in an individual's application and claims history, including, but not limited to, appeals history.”

To read the full details of the amendments to New York’s data breach notification law, take a closer look here.

A8872A: Changes to timeline and reporting

Previously, businesses had no specific timeframe other than being required to notify affected individuals “in the most expedient time possible and without unreasonable delay.” A8872A adds a timeframe and reporting process businesses are obligated to follow in case of a data breach.

• Timeline for reporting information: Businesses that discover a data breach involving private information are required to notify affected New York residents within 30 days after a breach is discovered.
• Government reporting for data breaches: In addition to notifying the New York State Attorney General, the Department of State, and the Division of State Police, businesses are now also required to notify the Department of Financial Services (DFS) in the event of a data breach affecting New York residents.

Take a closer look here to see the full text and amendments regarding reporting requirements and timelines.

Enforcement and penalties

The Attorney General is tasked with making sure organizations follow the notification requirements. Meanwhile, the DFS will monitor financial institutions and related entities to ensure they meet the new notification standards. Entities that fail to comply with the updated reporting requirements are subject to facing legal action, including fines and penalties, as outlined in New York's General Business Law.

Keeping up with the evolving world of consumer data

All states currently have pre-existing laws requiring businesses to notify consumers in the case of a data breach, but they vary substantially. New York’s amendments to their existing focus on consumer protections, expanding the definition of what qualifies as private information and setting a stricter timeline for notifying consumers and government agencies of a data breach, could potentially set a precedent for other states to reconsider their existing consumer data restrictions and breach reporting policies.

This article is for informational purposes only and does not constitute legal advice or official predictions of future laws and regulations. Hiring professionals, HR professionals, and administrators should consult their legal counsel to ensure all actions comply with the law.