Organizations handling New Yorkers’ data now face one of the country’s shortest breach notification deadlines. Morrison Foerster attorneys Melissa Crespo and Reiley Porter break down the state’s recent amendments that impose a 30-day notification requirement and expand protected information categories to include medical and health insurance data.
Recent amendments to New York General Business Law § 899-aa, New York’s data breach notification law, coincide with a long-term shift across states toward broader definitions of personal information and stricter notice timing requirements. Organizations that process data of any of New York’s 20 million residents should consider how the changes will impact existing organizational approaches to incident response and breach notification.
These amendments introduced three key changes to the breach notification law: a new 30-day breach notice timeline, a requirement that New York Department of Financial Services (DFS)-regulated entities must notify DFS of a breach and an updated definition of “private information” that includes medical and health insurance information. The amendments were signed into law by Gov. Kathy Hochul in December and followed by a further clarifying amendment in February.
30 days to notify
Effective Dec. 21, 2024, any…
