New York closed out 2024 by introducing several significant changes to its cybersecurity and breach notification laws. These changes, which arrived via a slate of bills signed into law by Governor Kathy Hochul on December 21, 2024, clarify existing notification requirements, bring New York’s law into alignment with other states’ requirements, and may prompt businesses to review their incident response procedures. The changes, along with earlier guidance issued by the New York Department of Financial Services (“DFS”), demonstrate that New York’s regulatory landscape is continually evolving to address new threats. Businesses should keep pace with these developments by reviewing the new laws and by modifying their cybersecurity and incident response policies accordingly.
Notice Requirements for Data Breaches
Senate Bill S2659B, effective immediately, makes significant changes to the timing and process for notifying New York authorities of cybersecurity incidents pursuant to the SHIELD Act (NY General Business Law §899-aa et. seq.), New York’s breach notice statute.
Under existing law, disclosure of relevant breaches was to “be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement.” The new law now specifies that notice must be provided within 30 days of the discovery of the breach.
S2659B initially imposed a new requirement to notify DFS (in addition to the New York Attorney General, the Department of State, and the State Police) of a data breach, regardless of whether the disclosing company was otherwise subject to DFS regulation. But that requirement was updated via a January 8, 202 chapter amendment clarifying that only DFS-covered entities are required to notify DFS (as set forth in the DFS cybersecurity regulations, specifically NYCRR § 500.17) of relevant data breaches. Businesses subject to DFS regulation should note that NYCRR § 500.17 requires notification to the DFS within 72 hours from the determination that a cybersecurity event has occurred, a much less forgiving timeframe than even the new SHIELD Act requirement.
Businesses will need to update their incident response programs to ensure that they comply with these new notification requirements.
Expanded Breach Definition
Assembly Bill A4737B, effective March 21, 2025, amends the SHIELD Act to add “medical information” and “health insurance information” to the categories of data that comprise “private information” whose compromise may require notification to state authorities. This change brings New York in line with many other states, which already require notification of data breaches involving medical and health insurance information.
Under the amended law, “health insurance information” is defined as: “an individual’s health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual or any information in an individual’s application and claims history, including, but not limited to, appeals history.” The amended law further defines “medical information” as “any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional.”
The addition of “medical information” and “health insurance information” to the categories of information that comprise “private information” means that a breach of “medical information” or “health insurance information” in combination with “personal information” (i.e., which can be used to identify a person, like a name) may trigger an obligation for the entity that experiences the incident to disclose it to New York authorities.
The bill also correspondingly amends the identity theft section of New York’s penal code to expressly prohibit the theft of “medical information” and “health insurance information”.
These changes underscore the growing importance of securing health data. In the present risk environment, businesses across sectors — not just those in the healthcare vertical — need to ensure that their privacy and cybersecurity programs adequately address health data.
