by Jenna Rode and Emilie Galper

Jenna Rode and Emilie Galper (Photos courtesy of Hunton Andrews Kurth LLP)

New York Governor Kathy Hochul recently signed into law several bills (S2659B and S2376B) modifying the state’s data breach notification law. The amendments revise the timing requirements for notice to affected individuals, expand the list of regulators to be notified, and add new data elements to New York’s definition of “private information.”

• Timing Requirements: Before the amendment, New York’s breach notification law required notification to affected New York residents “in the most expedient time possible and without unreasonable delay.” As of December 21, 2024, the law requires affected individuals to be notified no later than 30 days after discovery of the breach, except “for the legitimate needs of law enforcement.”
• Additional Regulator Notice Requirements: Also effective December 21, 2024, the law now requires notice to the New York Department of Financial Services. Previously, the law required notice to the New York State Attorney General, the New York Department of State, and the Division of State Police.
• Revised Definition of “Private Information:” Effective March 25, 2025, the definition of “private information” subject to the law’s notification requirements will include (1) medical information (i.e., any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional) and (2) health insurance information (i.e., an individual’s health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual or any information in an individual’s application and claims history, including, but not limited to, appeals history).
• HIPAA Exemption: Pursuant to the law’s HIPAA exemption, a breach of protected health information would not trigger additional notification requirements to affected individuals. However, the law still requires notice to certain regulators, including the New York State Attorney General, the New York Department of State, and the Division of State Police. Notably, the HIPAA exemption was not amended and does not reflect the law’s new general requirement to notify the New York Department of Financial Services.

Jenna Rode is Of Counsel and Emilie Galper is an Associate at Hunton Andrews Kurth LLP. This post first appeared as a blog post for the firm.

The views, opinions and positions expressed within all posts are those of the author(s) alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of the New York University School of Law. PCCE makes no representations as to the accuracy, completeness and validity or any statements made on this site and will not be liable any errors, omissions or representations. The copyright of this content belongs to the author(s) and any liability with regards to infringement of intellectual property rights remains with the author(s).