New York State Data Breach Notification Law Amendment

On December 24, 2024, Governor Kathy Hochul of New York signed a new amendment to the state’s data breach notification law. This change, effective immediately, introduces new requirements for businesses when notifying New York residents about data breaches. The amendment mandates that businesses disclose breaches affecting New York residents within thirty days of discovery. Additionally, the New York Department of Financial Services has been added to the list of state regulators to be notified in the event of a breach.

Before this amendment, New York’s data breach notification law did not specify a timeframe for notifying impacted residents. The law simply called for timely notification “without unreasonable delay.” While the amendment preserves this principle, it now sets a clear thirty-day deadline for notifying New York residents of any breaches involving their information.

This thirty-day requirement puts New York in line with states like Colorado, Florida, Maine, and Washington that also have the same notification timeframe. The revised law removes ambiguities around delaying notification to residents and provides law enforcement exceptions for such delays.

Another noteworthy change is the introduction of a thirty-day deadline for businesses that maintain but do not own data containing personal information to notify the owner or licensee in case of a breach. This deadline adds clarity to previous requirements.

The amendment also expands the list of state regulators to include NYDFS in the notification process for breaches affecting New York residents. Previously, notification was required for the State Attorney General, the New York Department of State, and the New York State Police. The update ensures timely reporting to the appropriate regulatory bodies following a breach.

This recent amendment marks the first significant change to New York’s data breach notification law since the introduction of the SHIELD Act in 2019. The SHIELD Act expanded the scope of personal information and redefined breaches, enhancing data security provisions for businesses owning or licensing data containing New York residents’ information.