New York has made significant amendments to its data breach notification laws by requiring businesses to take proactive measures in the event of a data breach incident.
New York's data breach notification laws, found in New York General Business Law (GBL) § 899-aa, require residents to be notified of a data breach of personal information. The responsible party must also inform the state’s Attorney General, the state’s Department of State, the Division of State Police and the New York Department of Financial Service (“NYDFS”) about the timing, content, distribution of the notices, and the approximate number of affected individuals. A copy of the notice template sent to affected persons must also be provided.
On February 14, the Governor of New York signed into law Senate Bill 804 (“ SB 804”), which amends the general business law concerning when and how notifications for data breaches must be provided to the New York Department of Financial Services (“NYDFS”). SB 804 clarifies that only covered entities, as defined in 23 NYCRR 500.1, that are under the jurisdiction of the NYDFS are mandated to notify NYDFS of data breaches. Notice to the NYDFS must comply with 23 NYCRR 500.17, which requires 72-hour notice from when a data breach event occurred. SB 804 was made retroactively effective to December 21, 2024, to be concurrently effective with other legislation related to notification of data breach that became effective on that day.
Other recent changes to NY GBL § 899-aa include the expansion of the definition of what constitutes "personal information." Under the new amendments, personal data now includes more than just financial information or Social Security numbers. Biometric data, email addresses, usernames, and passwords are also explicitly covered under the law.
A shortened notification timeline was also added. Previous law required businesses to notify affected individuals "without unreasonable delay." However, the new amendments set a specific time frame of 30 days from the discovery of the breach to notify affected individuals. Businesses are required to notify the New York Attorney General within the same 30-day period if a data breach affects more than 500 residents.
If a data breach event affects more than 5,000 New York residents at one time, the responsible party must also notify consumer reporting agencies as to the timing, content, and distribution of notices and the number of affected persons. The responsible party must also offer free credit monitoring services to affected individuals for a minimum of one year if the breach involves sensitive personal information such as Social Security numbers or financial data. Information about fraud alerts and credit freezes must be included in notifications to let the affected residents know how to further protect their identities against identity theft.
While penalties for violations have always been part of the law, even stronger enforcement mechanisms have been put in place with the recent amendments. New provisions allow the New York Attorney General to impose fines for non-compliance with breach notification requirements. The penalties, which can be significant, are meant to be a deterrent to businesses that may be tempted to delay or avoid notification.
New York’s amendments set a precedent for other states to follow in taking steps to address the evolving challenges of data security as the occurrence of cyber threats and data breaches continues to grow.
