ALBANY, N.Y. — Governor Kathy Hochul of New York has recently enacted new legislation that modifies the state’s data breach notification laws, introducing stringent requirements for how breaches must be reported and expanding the scope of information that qualifies as private. The changes are set to enhance consumer protections amid rising concerns over data security and privacy.
Under the new laws signed by Gov. Hochul, businesses will face more specific timelines for notifying New York residents about data breaches. Prior to these amendments, the law mandated that notifications be made as promptly as possible and without undue delay. The revised statute, which takes effect on December 21, 2024, will now require organizations to notify impacted individuals within 30 days after the discovery of a data breach, unless holding off on notification is requested by law enforcement for legitimate reasons.
In addition to tightening the notification timeline, the updated legislation extends the list of regulators that must be informed when a breach occurs. Starting December 21, 2024, the New York Department of Financial Services will join the roster of agencies that already includes the New York State Attorney General, the New York Department of State, and the Division of State Police. This expansion ensures that a wider array of regulatory bodies are kept in the loop, potentially improving the oversight and response to data breaches.
The scope of what is considered “private information” is also set to expand significantly. Effective March 25, 2025, the definition will encompass medical and health insurance information. More specifically, the category will include detailed aspects such as an individual’s medical history, medical treatments, conditions diagnosed by healthcare professionals, as well as health insurance policy numbers and subscriber identification numbers among other details.
Importantly, while the amendments introduce broader notification obligations, they maintain a HIPAA exemption. This means that breaches involving protected health information already covered by HIPAA will not trigger the new notification requirements to individuals. However, notifications to the specified regulatory agencies remain mandatory, although this exemption does not extend to the newly required notifications to the New York Department of Financial Services.
These legislative updates come at a time when concerns over data privacy and security breaches are particularly pronounced, reflecting the state’s commitment to bolstering consumer protections in the face of evolving digital threats. They suggest a significant step toward tightening the legal frameworks surrounding data breaches, aiming to ensure more timely and comprehensive responses to such incidents.
For any discrepancies or inaccuracies in the reporting of data breaches or the legislative changes outlined, readers are encouraged to contact Public Law Library. Requests for article removals, retractions, or corrections can be directed to [email protected]. These measures underline the library’s commitment to factual accuracy and up-to-date information dissemination in the context of legal changes affecting the public’s data privacy rights.