New York Amends Data Breach Notification Law to Enhance Notification Requirements, Expand Definition of ‘Private Information’
On December 24, 2024, New York Governor Kathy Hochul signed into law amendments to New York’s private-sector data breach notification law ( General Business Law § 899-aa ) and government agency data breach notification law ( New York State Technology Law § 208 ). The private-sector changes include a thirty-day deadline for businesses to notify New York residents impacted by a data breach, and both laws now have an expanded definition of “private information” that includes medical and health insurance information. The new notification requirements are effective immediately, whereas the expanded definition of “private information” will become effective on March 21, 2025, for both laws. Quick Hits Businesses must now notify New York residents impacted by a data breach within thirty days after a data breach has been discovered. The state’s Department of Financial Services must now be notified of a data breach along with other regulatory agencies. The definition of “private informatio...