Governor Kathy Hochul signed several bills last month designed to strengthen protections for the personal data of consumers. One of those bills (S2659B) makes important changes to the notification timing requirements under the Empire State’s breach notification law, Section 899-aa of the New York General Business Law. The bill was effective immediately when signed, or December 21, 2024.

All fifty states have enacted at least one data breach notification law. Some states, such as California, have more than one statute – a generally applicable statute and one applying to certain health care entities. Over the years, many of these states have updated their laws in different respects. For example, some have expanded the definition of personal information, resulting in broader categories of personal information triggering a potential notification requirement if breached. Others have added requirements to notify one or more state agency. While some states have modified the specific notification requirements, such as the timing of notification. That is one of the changes New York made to its law.

Prior to the change, a business subject to the New York statute that experienced a covered breach would be required to provide notification to affected individuals:

in the most expedient time possible and without unreasonable delay.

There was no outside time frame by which the notice must be provided. The bill added a 30 day deadline. So, now, the law requires the breached entity to provide notification

in the most expedient time possible and without unreasonable delay, provided that such notification shall be made within thirty days after the breach has been discovered

Notably, prior to the change, the law excluded from this timing requirement the legitimate needs of law enforcement and “any measures necessary to determine the scope of the breach and restore the integrity of the systems.” The legitimate needs of law enforcement exception remains in the law, determining the scope of the breach and restoring system integrity do not.

S2659B also made a change to the state agencies that must be notified in the event of a breach under the statute. Under the prior law, if any New York residents were to be notified under the State’s breach notification law, the state attorney general, the department of state and, the division of state police all needed to be notified. The new law adds the Department of Financial Services to the list.

With breach notification requirements under federal law, the laws in all states and several localities, and increasingly embedded in contract obligations, it can be difficult stay up to date, particularly if the company is in the middle of handling the breach. In addition to it being required in some scenarios, this is one more reason why we recommend maintaining an incident response plan. Such a plan is a good place to track these kinds of developments for the company’s incident response team.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Joseph J. Lazzarotti Joseph J. Lazzarotti

Joseph J. Lazzarotti is a principal in the Tampa, Florida, office of Jackson Lewis P.C. He founded and currently co-leads the firm’s Privacy, Data and Cybersecurity practice group, edits the firm’s Privacy Blog, and is a Certified Information Privacy Professional (CIPP) with the…

Joseph J. Lazzarotti is a principal in the Tampa, Florida, office of Jackson Lewis P.C. He founded and currently co-leads the firm’s Privacy, Data and Cybersecurity practice group, edits the firm’s Privacy Blog, and is a Certified Information Privacy Professional (CIPP) with the International Association of Privacy Professionals. Trained as an employee benefits lawyer, focused on compliance, Joe also is a member of the firm’s Employee Benefits practice group.

In short, his practice focuses on the matrix of laws governing the privacy, security, and management of data, as well as the impact and regulation of social media. He also counsels companies on compliance, fiduciary, taxation, and administrative matters with respect to employee benefit plans.

Privacy and cybersecurity experience – Joe counsels multinational, national and regional companies in all industries on the broad array of laws, regulations, best practices, and preventive safeguards.

Benefits counseling experience – Joe’s work in the benefits counseling area covers many areas of employee benefits law.

Joe speaks and writes regularly on current employee benefits and data privacy and cybersecurity topics and his work has been published in leading business and legal journals and media outlets, such as The Washington Post, Inside Counsel, Bloomberg, The National Law Journal, Financial Times, Business Insurance, HR Magazine and NPR, as well as the ABA Journal, The American Lawyer, Law360, Bender’s Labor and Employment Bulletin, the Australian Privacy Law Bulletin and the Privacy, and Data Security Law Journal.