New York closed out 2024 by introducing several significant changes to its cybersecurity and breach notification laws. These changes, which arrived via a slate of bills signed into law by Governor Kathy Hochul on December 21, 2024, clarify existing notification requirements, bring New Yorkās law into alignment with other statesā requirements, and may prompt businesses to review their incident response procedures. The changes, along with earlier guidance issued by the New York Department of Financial Services (āDFSā), demonstrate that New Yorkās regulatory landscape is continually evolving to address new threats. Businesses should keep pace with these developments by reviewing the new laws and by modifying their cybersecurity and incident response policies accordingly.
Notice Requirements for Data Breaches
Senate Bill S2659B, effective immediately, makes significant changes to the timing and process for notifying New York authorities of cybersecurity incidents pursuant to the SHIELD Act (NY General Business Law Ā§899-aa et. seq.), New York’s breach notice statute.
Under existing law, disclosure of relevant breaches was to ābe made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement.ā The new law now specifies that notice must be provided within 30 days of the discovery of the breach.
S2659B initially imposed a new requirement to notify DFS (in addition to the New York Attorney General, the Department of State, and the State Police) of a data breach, regardless of whether the disclosing company was otherwise subject to DFS regulation. But that requirement was updated via a January 8, 202 chapter amendment clarifying that only DFS-covered entities are required to notify DFS (as set forth in the DFS cybersecurity regulations, specifically NYCRR Ā§ 500.17) of relevant data breaches. Businesses subject to DFS regulation should note that NYCRR Ā§ 500.17 requires notification to the DFS within 72 hours from the determination that a cybersecurity event has occurred, a much less forgiving timeframe than even the new SHIELD Act requirement.
Businesses will need to update their incident response programs to ensure that they comply with these new notification requirements.
Expanded Breach Definition
Assembly Bill A4737B, effective March 21, 2025, amends the SHIELD Act to add āmedical informationā and āhealth insurance informationā to the categories of data that comprise āprivate informationā whose compromise may require notification to state authorities. This change brings New York in line with many other states, which already require notification of data breaches involving medical and health insurance information.
Under the amended law, āhealth insurance informationā is defined as: āan individual’s health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual or any information in an individual’s application and claims history, including, but not limited to, appeals history.ā The amended law further defines āmedical informationā as āany information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional.ā
The addition of āmedical informationā and āhealth insurance informationā to the categories of information that comprise āprivate informationā means that a breach of āmedical informationā or āhealth insurance informationā in combination with āpersonal informationā (i.e., which can be used to identify a person, like a name) may trigger an obligation for the entity that experiences the incident to disclose it to New York authorities.
The bill also correspondingly amends the identity theft section of New Yorkās penal code to expressly prohibit the theft of āmedical informationā and āhealth insurance informationā.
These changes underscore the growing importance of securing health data. In the present risk environment, businesses across sectors ā not just those in the healthcare vertical ā need to ensure that their privacy and cybersecurity programs adequately address health data.