New York's Data Breach Notification Law Update: What DPOs Need to Know


Overview of the Changes

New York Governor Kathy Hochul recently signed two bills, SO2659 and SO2376, amending the state’s data breach notification law. These changes introduce significant updates that DPOs must be aware of:

  1. New notification timeline
  2. Expanded definition of “private information”
  3. Additional regulatory notification requirements

Key Updates for DPOs

1. 30-Day Notification Requirement

Previously, New York’s law had no specific deadline for notifying affected individuals. Now, organizations must provide notice within 30 days of discovering a breach. This change necessitates a reevaluation of incident response planning and execution to ensure compliance with the new timeline.

2. Expanded Definition of Private Information

As of March 25, 2025, “private information” will include medical information and health insurance information. This broadens the scope of data that falls under the law’s protection, impacting data mapping and classification processes.

3. New Regulatory Notification

The New York Department of Financial Services has been added to the list of regulators that must be notified in the event of a breach. This has significant implications for financial institutions and other regulated entities, requiring updates to breach notification procedures.

Action Items for DPOs

  1. Review and update incident response plans to ensure compliance with the new 30-day notification requirement.
  2. Assess data inventories and adjust data classification schemes to account for the expanded definition of private information.
  3. Update breach notification procedures to include the New York Department of Financial Services where applicable.
  4. Conduct training for relevant staff on the new requirements.

Conclusion

As data protection regulations continue to evolve, DPOs must stay informed and proactive in adapting their organizations’ practices. These changes to New York’s data breach notification law reflect a growing trend towards stricter privacy protections and faster incident reporting. By understanding and implementing these new requirements, DPOs can help their organizations maintain compliance and protect individuals’ data more effectively.