How Will New York’s Amended Data Breach Law Affect Businesses?

January 7, 2025

On December 24, 2024, a significant change transpired in New York’s legislative landscape as Governor Kathy Hochul signed an important amendment to the New York General Business Law § 899-aa. This amendment redefined the state’s data breach notification requirements, introducing a clear and stringent timeline for businesses to disclose data breaches affecting New York residents and including the New York Department of Financial Services (NYDFS) in the list of mandatory state regulators to be informed. This move proves particularly relevant in an era where data breaches remain a pervasive threat, underscoring the necessity for prompt and transparent reporting mechanisms to safeguard residents’ sensitive information.

Defining a Clear Timeline for Notification

Thirty-Day Limit for Notifying Affected Residents

Previously, the data breach notification laws in New York required businesses to notify affected residents “in the most expedient time possible and without unreasonable delay,” a common but imprecise clause found in many state laws. This provision often led to ambiguous interpretations and inconsistencies in how quickly businesses responded to data breaches. Now, with the amended law mandating a definitive thirty-day limit for disclosure, businesses have a clear and strict deadline, eliminating any ambiguity and ensuring a more uniform approach to data breach notifications within the state. This aligns New York with other states, such as Colorado, Florida, Maine, and Washington, which have similar stringent notification timelines.

This newly defined deadline serves a dual purpose. It not only helps expedite the process of informing affected individuals, thereby allowing them to take timely preventive actions but also enhances the overall transparency and accountability of the businesses involved. The amendment acknowledges the critical timeframe following a data breach when immediate action is most crucial for minimizing potential harm. With the thirty-day requirement, New York residents can be assured that they will be promptly alerted about any compromise of their personal data, enabling quicker implementation of protective measures such as credit monitoring and identity theft prevention.

Responsibilities of Data Maintainers

The amendment also introduces a significant change for businesses that maintain but do not own data containing personal information. These entities are now required to notify the data owner or licensee within thirty days of discovering a breach. This replaces the previous, more ambiguous directive of “immediate” notification, which lacked a specified timeframe. By establishing a concrete deadline, the amendment brings clarity to the responsibilities of data maintainers, ensuring a faster and more organized response to data breaches.

This change addresses a critical gap in the previous regulatory framework, making it imperative for any third parties involved in data handling to act promptly and responsibly. The clear directive ensures that data owners, who are ultimately responsible for the information, are quickly made aware of any breaches, allowing them to take necessary actions to mitigate risks. Furthermore, this alignment with the broader notification requirement underscores the seriousness with which New York is treating data security and breach responsiveness, setting a new standard for other states to consider.

Expansion of Regulatory Notification Requirements

Inclusion of the NYDFS

An important aspect of the amended law is the inclusion of the NYDFS among the list of state regulators to be notified in the event of a data breach. Before this amendment, businesses were required to inform the State Attorney General, the New York Department of State, and the New York State Police. Adding the NYDFS to this list is a significant enhancement, reflecting the agency’s central role in overseeing financial institutions and enforcing cybersecurity regulations within the state.

This addition is not merely symbolic. The NYDFS already mandates financial institutions to comply with stringent cybersecurity requirements, including a 72-hour notification window for cybersecurity incidents and a 24-hour notification for extortion payments under the 23 NYCRR Part 500 regulation. By extending notification obligations to the NYDFS, New York integrates its broader regulatory framework with data breach protocols, ensuring a multi-faceted and robust approach to handling breaches. This change highlights the state’s commitment to a comprehensive regulatory strategy encompassing all facets of data security and breach management.

Complementing Existing Requirements

In essence, the inclusion of the NYDFS dovetails with existing requirements, providing a more cohesive and streamlined regulatory environment. Financial institutions and other entities regulated by the NYDFS are already accustomed to rigorous reporting standards. Extending these expectations to data breaches ensures consistency and reinforces the importance of immediate and transparent communication in the wake of a data breach.

The existing NYDFS requirements underscore the significance of swift action in maintaining the integrity of financial and sensitive data. The recent amendment fortifies this principle by expanding these expectations across a broader array of entities. Businesses are now better positioned to respond efficiently and in a coordinated manner when breaches occur, thus bolstering the overall protective measures for New York residents. This move also serves to enhance the readiness and resilience of businesses operating within the state against potential data breaches.

Historical Context and Future Implications

The 2019 SHIELD Act

To appreciate the full impact of this recent amendment, it’s essential to consider it within the historical context of New York’s legislative efforts to bolster data security. A significant milestone in this journey was the 2019 passage of the Stop Hacks and Improve Electronic Data Security (SHIELD) Act. This legislation significantly expanded the definition and scope of personal information breaches and imposed stringent data security measures on businesses handling New York residents’ data.

The SHIELD Act marked a proactive effort to address emerging data security threats by broadening what constituted a data breach and setting higher standards for safeguarding personal data. The 2024 amendment builds on these foundational elements, addressing specific areas for improvement such as clarifying notification timelines and expanding the list of regulatory contacts. Together, these legislative efforts reflect a cohesive strategy aimed at fortifying data security and enhancing the legal framework within which businesses must operate.

Ongoing Trends Towards Stricter Compliance Measures

On December 24, 2024, Governor Kathy Hochul enacted a significant legislative amendment to the New York General Business Law § 899-aa. This critical update reshaped New York’s data breach notification requirements, setting a clear and strict timeline for businesses to report data breaches impacting New York residents. Notably, the amendment also included the New York Department of Financial Services (NYDFS) as a mandatory state regulator to be informed in case of a data breach. This legislative reform comes at a time when data breaches are a widespread threat, highlighting the urgent need for swift and transparent reporting mechanisms to protect residents’ sensitive data. In today’s digital age, such measures are crucial to ensuring that individuals’ personal information remains secure, fostering trust and accountability between businesses and consumers. The inclusion of the NYDFS underscores the state’s commitment to maintaining strict oversight and enhancing the overall security framework.

Subscribe to our weekly news digest.

Join now and become a part of our fast-growing community.

Invalid Email Address
Thanks for Subscribing!
We'll be sending you our best soon!
Something went wrong, please try again later