What happened?

On December 24, 2024, New York Governor Kathy Hochul signed bills A8872A and S2376B into law, amending New York General Business Law § 899-aa to update the state’s data breach notification requirements.

Overview:

New York’s data breach notification law requires persons and businesses that own or license data containing personal information (PI) to notify affected New York residents, certain state regulators, and, in some cases, consumer reporting agencies following a breach of PI. A separate provision requires notification to data owners and licensees for businesses and persons that maintain but do not own data containing New York residents’ PI.

Key Changes:

• Notification Timing:
  • Companies must notify affected individuals within 30 days of discovering a data breach. Previously, the law required notification “in the most expedient time possible and without unreasonable delay.”
  • Those maintaining but not owning such data must notify the owner within 30 days.

• Expanded Definition of Personal Information:
  • Effective March 21, 2025, the definition of personal information includes medical and health insurance information.

• Additional Regulatory Notification:
  • Businesses must now notify the New York Department of Financial Services (NYDFS) in addition to the Attorney General (NYSAG), the Department of State (NYSDOS), and the Division of State Police (NYSDSP).
  • Breaches affecting over 5,000 residents must also be reported to consumer reporting agencies.

• These changes aim to enhance the protection of personal data and ensure timely notification to individuals and regulatory authorities in the event of a data breach.

Additional Details

• HIPAA-Related Breach Notification:
  • HIPAA-related breach notification requirements remain unchanged. HIPAA requires individual notifications within 60 days, which supersedes New York’s 30-day rule. HIPAA breaches must also be reported to the NYSAG within five business days of notifying the Secretary of Health and Human Services.

• Notification to NYSDFS and Other State Agencies:
  • The new bills add NYSDFS to the list of agencies to be notified, effective immediately. NYSAG, NYSDOS, and NYSDSP notifications are submitted through NYSAG’s online portal. It is unclear if NYSDFS notifications will use the same portal.
  • New York-licensed hospitals must notify the Department of Health within 72 hours of a cybersecurity incident, per regulations adopted in October 2024.

• Impact on Businesses: Life sciences and consumer healthcare companies not regulated by HIPAA will now need to report breaches involving medical or health insurance information, increasing their risk of financial and reputational harm and potential litigation.

“Please mark the effective date on your calendar as a reminder to be fully prepared and ready to ensure compliance with applicable laws and regulations.”

Source References

• Data Breach Reporting Form 
• NY A8872A
• NY S2376B

This communication is intended solely for the purpose of conveying information. The present post might incorporate hyperlinks directing readers to websites managed by third-party entities. The inclusion of any links within this communication is meant to serve as points of reference and could encompass opinion articles from various law firms, articles from HR associations, official websites, news releases, and documents of government agencies, and other relevant third-party sources. Vensure has no authority over these external websites and bears no responsibility for their content. Furthermore, Vensure does not endorse the materials present on these websites. The contents of this communication should not be interpreted as legal advice or as a legal standpoint concerning specific facts or scenarios. Nor should it be deemed an exhaustive compilation of facts potentially pertinent to federal, state, or local laws. It is strongly advised that employers solicit legal guidance from an employment attorney when undertaking actions in response to any legal updates provided. This is due to the possibility of future alterations occurring in federal, state, and local laws, regulations, as well as the directives and guidelines issued by governing agencies. These changes may transpire at any given time, potentially rendering certain portions of the content within this update void or inaccurate.