New York Updates Data Breach Notification Law

Hunton Andrews Kurth’s Privacy and Cybersecurity

Email

212 309 1223 direct

Bio and Articles

Find Your Next Job !

Associate Attorney – Family Law
The Micklin Law Group

Family/Matrimonial Law Attorney
On Balance Search Consultants

Matrimonial Attorney
On Balance Search Consultants

Explore More Job Openings

New York Data Breach Notification Law Updated

by: Hunton Andrews Kurth’s Privacy and Cybersecurity of Hunton Andrews Kurth - Privacy and Information Security Law Blog-Hunton Andrews Kurth

Wednesday, January 29, 2025

Print Mail Download info_icon_img

/>i

New York Governor Kathy Hochul recently signed into law several bills (S2659B and S2376B) modifying the state’s data breach notification law. The amendments revise the timing requirements for notice to affected individuals, expand the list of regulators to be notified, and add new data elements to New York’s definition of “private information.”

Timing Requirements: Before the amendment, New York’s breach notification law required notification to affected New York residents “in the most expedient time possible and without unreasonable delay.” As of December 21, 2024, the law requires affected individuals to be notified no later than 30 days after discovery of the breach, except “for the legitimate needs of law enforcement.”
Additional Regulator Notice Requirements: Also effective December 21, 2024, the law now requires notice to the New York Department of Financial Services. Previously, the law required notice to the New York State Attorney General, the New York Department of State, and the Division of State Police.
Revised Definition of “Private Information:” Effective March 25, 2025, the definition of “private information” subject to the law’s notification requirements will include (1) medical information (i.e., any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional) and (2) health insurance information (i.e., an individual’s health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual or any information in an individual’s application and claims history, including, but not limited to, appeals history).
HIPAA Exemption: Pursuant to the law’s HIPAA exemption, a breach of protected health information would not trigger additional notification requirements to affected individuals. However, the law still requires notice to certain regulators, including the New York State Attorney General, the New York Department of State, and the Division of State Police. Notably, the HIPAA exemption was not amended and does not reflect the law’s new general requirement to notify the New York Department of Financial Services.