Analyzing critical legal trends and developments across data, cyber, AI and digital regulations from around the world and beyond borders

New York closed out 2024 by introducing several significant changes to its cybersecurity and breach notification laws. These changes, which arrived via a slate of bills signed into law by Governor Kathy Hochul on December 21, 2024, clarify existing notification requirements, bring New Yorkā€™s law into alignment with other statesā€™ requirements, and may prompt businesses to review their incident response procedures. The changes, along with earlier guidance issued by the New York Department of Financial Services (ā€œDFSā€), demonstrate that New Yorkā€™s regulatory landscape is continually evolving to address new threats. Businesses should keep pace with these developments by reviewing the new laws and by modifying their cybersecurity and incident response policies accordingly.

Notice Requirements for Data Breaches

Senate Bill S2659B, effective immediately, makes significant changes to the timing and process for notifying New York authorities of cybersecurity incidents pursuant to the SHIELD Act (NY General Business Law Ā§899-aa et. seq.), New York’s breach notice statute.

Under existing law, disclosure of relevant breaches was to ā€œbe made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement.ā€ The new law now specifies that notice must be provided within 30 days of the discovery of the breach.

S2659B initially imposed a new requirement to notify DFS (in addition to the New York Attorney General, the Department of State, and the State Police) of a data breach, regardless of whether the disclosing company was otherwise subject to DFS regulation.  But that requirement was updated via a January 8, 202 chapter amendment clarifying that only DFS-covered entities are required to notify DFS (as set forth in the DFS cybersecurity regulations, specifically NYCRR Ā§ 500.17) of relevant data breaches. Businesses subject to DFS regulation should note that NYCRR Ā§ 500.17 requires notification to the DFS within 72 hours from the determination that a cybersecurity event has occurred, a much less forgiving timeframe than even the new SHIELD Act requirement.

Businesses will need to update their incident response programs to ensure that they comply with these new notification requirements.

Expanded Breach Definition

Assembly Bill A4737B, effective March 21, 2025, amends the SHIELD Act to add ā€œmedical informationā€ and ā€œhealth insurance informationā€ to the categories of data that comprise ā€œprivate informationā€ whose compromise may require notification to state authorities. This change brings New York in line with many other states, which already require notification of data breaches involving medical and health insurance information.

Under the amended law, ā€œhealth insurance informationā€ is defined as: ā€œan individual’s health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual or any information in an individual’s application and claims history, including, but not limited to, appeals history.ā€ The amended law further defines ā€œmedical informationā€ as ā€œany information regarding an  individual’s medical  history, mental or physical condition, or medical treatment or diagnosis by a health care professional.ā€

The addition of  ā€œmedical informationā€ and ā€œhealth insurance informationā€ to the categories of information that comprise ā€œprivate informationā€ means that a breach of ā€œmedical informationā€ or ā€œhealth insurance informationā€ in combination with ā€œpersonal informationā€ (i.e., which can be used to identify a person, like a name) may trigger an obligation for the entity that experiences the incident to disclose it to New York authorities.

The bill also correspondingly amends the identity theft section of New Yorkā€™s penal code to expressly prohibit the theft of ā€œmedical informationā€ and ā€œhealth insurance informationā€.

These changes underscore the growing importance of securing health data. In the present risk environment, businesses across sectors ā€” not just those in the healthcare vertical ā€” need to ensure that their privacy and cybersecurity programs adequately address health data.

Author

Elizabeth Roper is a partner in Baker McKenzie's North America Litigation and Global Dispute Resolution Practice. She is based in the New York office. Prior to joining the firm, Liz served in the Manhattan District Attorney's Office as Bureau Chief of the Cybercrime and Identity Theft Bureau (CITB). In this role, Liz directed the investigation and prosecution of all types of cybercrime impacting Manhattan, including sophisticated cyber-enabled financial crime such as identity theft, payment card fraud, and money laundering; network intrusions, hacking, ransomware, and "middleman" attacks; intellectual property theft; "dark web" trafficking of contraband; and the theft and illicit use of cryptocurrencies.

Author

Author

Avi Toltzis is a Knowledge Lawyer in Baker McKenzie's Chicago office.