A MoFo Privacy Minute: New York Data Breach Notification

This is “A MoFo Privacy Minute,” where we answer the questions our clients are asking us in sixty seconds or less.

Question: How do the recent amendments to the New York data breach notification law (New York General Business Law § 899-aa) impact my organization’s approach to incident response and breach notification?

Answer: There are three key changes to the breach notification law: 1) a new 30-day breach notice timeline, 2) a requirement that New York Department of Financial Services (DFS)-regulated entities must notify DFS of a breach, and 3) an updated definition of “private information” that includes medical and health insurance information.

Thirty Days to Notify:

Effective December 21, 2024, any business that experiences a breach of New York residents’ private information must notify impacted residents within 30 days of discovering the breach. The amendment maintains the exception for delays “for the legitimate needs of law enforcement.” Prior to this amendment, the requirement was to provide notice “in the most expedient time possible and without unreasonable delay.”

The 30-day notice requirement also applies to service providers who must instead notify their customer—the data owner—of any breach. Service providers are still required to notify the data owner of any breach immediately following discovery, but the law now specifies that notice must be made within 30 days following discovery.

Notification to the Department of Financial Services:

Also effective December 21, 2024, any DFS-regulated business that notifies any New York resident of a breach must notify DFS, in addition to the New York State Attorney General (AG), the New York Department of State (Department of State), and the Division of State Police (State Police). The original text of the amendment implied that all businesses were obligated to notify DFS, but a further amendment signed into law on February 14, 2025, clarifies that this requirement only applies to DFS‑regulated businesses. The AG maintains a form for simultaneous notice to the AG, Department of State, and State Police, but DFS-regulated businesses will need to notify DFS separately, consistent with the existing DFS cybersecurity event reporting requirement found in 23 NYCRR 500.17.

New Notice Requirements for Medical and Health Insurance Information:

As of March 21, 2025, the definition of private information will include medical and health insurance information. New York State did not previously require notification for breaches that impacted medical or health insurance information. Under the amended law, medical and health insurance information are defined as follows:

• Medical information means any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional.
• Health insurance information means an individual’s health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual, or any information in an individual’s application and claims history, including, but not limited to, appeals history.

This change will have little impact on HIPAA-regulated entities navigating health information breaches as the law provides a HIPAA exception to individual notice (while still requiring these entities to notify the AG, Department of State, and State Police of the breach). However, life sciences and healthcare companies not regulated by HIPAA, as well as other entities that process covered medical information, will be impacted by this expanded definition.    

For more MoFo Privacy Minutes visit our resource center.