On December 24, 2024, New York Governor Kathy Hochul signed into law an amendment to New York General Business Law § 899-aa modifying the state’s data breach notification requirements. The amended law, which is effective immediately, imposes new requirements businesses must follow when providing notifications following a data breach affecting New York residents. Specifically, businesses now must disclose data breaches affecting New York residents within thirty days from the discovery of a breach. Additionally, the amendment adds the New York Department of Financial Services (“NYDFS”) to the list of state regulators that must be notified whenever a breach requiring notification to New York residents occurs.
New York’s data breach notification law requires persons and businesses that own or license data containing personal information (“PI”) to notify affected New York residents, certain state regulators, and (in some circumstances) consumer reporting agencies following a “breach” of PI. A separate provision requiring notification to data owners and licensees applies to businesses and persons that maintain but do not own data containing New York residents’ PI.
Prior to the amendment, New York’s data breach notification law did not set an explicit timeframe for data owners to notify residents whose PI was impacted. Instead, the statute called for notification to residents “in the most expedient time possible and without unreasonable delay.” This language is prevalent in state data breach notification statutes, and recent case law is not determinative of what constitutes a reasonable time period between determination of a breach and notification. While New York’s law as amended preserves this language, it eliminates any doubt as to the outer bounds for timeliness by setting a thirty-day limit for notification of breaches involving PI of New York residents.
The thirty-day notification requirement is the shortest among states that establish an explicit deadline for notification to individuals; however, it is not unique. The New York amendment follows the lead of nearly identical provisions found in Colorado, Florida, Maine, and Washington’s data breach notification laws, which also impose a thirty-day limit for notification to individual state residents.
The revised law eliminates language that allowed businesses to delay notification to state residents “consistent with. . . any measures necessary to determine the scope of the breach and restore system integrity”; however, the “legitimate needs of law enforcement” remain valid grounds for delaying notification to affected residents.
The amendment also introduces a thirty-day deadline for businesses that maintain but do not own data containing PI to notify the owner or licensee in the event of a breach. While the prior law required such notification to be made “immediately,” the amendment adds a clarification that, in any event, “such notification shall be made within thirty days following discovery.”
The amendment further adds NYDFS to the list of state government regulators that must be notified in the event of a PI breach affecting New York residents. Prior to the amendment, New York’s law required notice to the State Attorney General, the New York Department of State, and the New York State Police if any New York residents were notified of an incident pursuant to the law. This reporting requirement is distinct from both the 72-hour cybersecurity incident notification requirement and the 24-hour extortion payment notification requirement that apply to NYDFS licensed financial institutions under 23 NYCRR Part 500.
Prior to the December 2024 amendment, the latest change to New York’s data breach notification law was introduced in 2019 via the Stop Hacks and Improve Electronic Data Security (“SHIELD”) Act, which broadened the scope of PI and the definition of breach. The SHIELD Act also expanded the data security provisions applicable to any person or business that owns or licenses data containing New York residents’ PI.