On December 24, 2024, Governor Kathy Hochul of New York enacted significant amendments to both the state’s private-sector and government agency data breach notification laws. These revisions to the General Business Law § 899-aa and New York State Technology Law § 208 introduce strict new timelines and a broadened scope of what constitutes “private information.”
Under the new regulations, businesses are now required to notify affected New York residents of a data breach within thirty days of its discovery. This marks a notable shift from previous standards that permitted notifications to be made as expeditiously as possible, but without a defined deadline. Additionally, the recent amendments have removed provisions that allowed companies to delay notifications based on their internal assessments of breach impact or system integrity restoration efforts. Nevertheless, delays may still occur if law enforcement requests them, illustrating a contrast in notification timelines between private entities and public agencies.
The amendments also mandate notification of the New York State Department of Financial Services (NYDFS) in the event of a breach, further adding to the regulatory burden traditionally faced by businesses. Along with NYDFS, entities are still required to inform the attorney general, the New York Department of State, and the state police. Notifications to these agencies must detail the timing and content of individual notifications, the estimated number of individuals affected, and a template for the notice itself. Notably, the obligations for public entities remain more lenient; they are still required to notify impacted individuals without a strict timeframe, relying on the phrase “as expediently as possible.”
Effective March 21, 2025, the definition of “private information” will also expand to include medical and health insurance data. This encompasses a person’s medical history and health insurance policy identifiers, thereby increasing the kinds of data breaches that could invoke notification requirements. This change holds particular significance as data breaches involving this type of sensitive information may now subject organizations to multiple layers of legal obligations, given existing regulations under federal and state laws like the Health Insurance Portability and Accountability Act (HIPAA).
As businesses grapple with these amendments, they may wish to reassess their incident response plans and overall cybersecurity measures to ensure compliance. The potential implications are substantial, particularly for organizations that handle medical or health insurance information. The increased scrutiny on personal data classifications introduces more avenues for legal and regulatory challenges, demanding heightened awareness and preparedness in cybersecurity governance.
From a cybersecurity perspective, the evolving landscape underscored by these legislative changes aligns with ongoing threats in the digital space. Adversaries utilizing tactics from the MITRE ATT&CK framework, including initial access through phishing or exploiting vulnerabilities, may exploit lax notification processes to their advantage. Businesses must remain vigilant against techniques related to persistence, privilege escalation, and lateral movement, as they navigate these new obligations. Given the complex web of requirements, a robust data protection strategy is now more critical than ever to mitigate risks and ensure prompt, compliant responses to breaches.
