New York Amends Data Breach Law, Sets 30-Day Notification Deadline

January 7, 2025

In a significant move to strengthen data protection, New York Governor Kathy Hochul signed an amendment to the New York General Business Law § 899-aa on December 24, 2024, establishing a specific timeline for data breach notifications. This amendment marks a crucial update in the state’s data breach notification requirements, mandating that businesses notify affected New York residents within thirty days from the discovery of a data breach. Additionally, the New York Department of Financial Services (NYDFS) has been included in the list of state regulators that must be informed about such breaches, joining the State Attorney General, the New York Department of State, and the New York State Police. This adjustment aims to clarify and expedite the notification process, ensuring that residents and relevant authorities are promptly informed of any data compromises.

Prior to this amendment, businesses were required to notify residents “in the most expedient time possible and without unreasonable delay.” While this phrase is common in state data breach laws, its vagueness in terms of timing often led to compliance challenges and inconsistencies. By setting a clear thirty-day deadline, New York now joins states like Colorado, Florida, Maine, and Washington, which have established similar explicit deadlines for data breach notifications. This move cements New York’s position as having the shortest notification requirement among states with specific timelines, underscoring the state’s commitment to prompt and efficient data breach responses.

Impact on Businesses and Data Maintainers

The amended law introduces significant changes for businesses that maintain but do not own data containing personal information (PI), imposing new obligations related to breach notifications. Under the updated regulation, these businesses must notify the data owners or licensees about breaches within thirty days, replacing the previous requirement of immediate notification. This change aims to standardize the notification timeline, providing greater clarity and predictability for both data maintainers and owners. By aligning the notification responsibilities for maintaining and owning businesses, the amendment ensures that all parties involved in data management are held accountable for timely breach reporting.

Moreover, the revised law eliminates the provision that allowed businesses to delay notifications for measures necessary to determine the scope of the breach and restore system integrity. While businesses can no longer postpone notifications for these reasons, delays for legitimate law enforcement needs remain valid. This adjustment intends to reduce delays and improve the overall timeliness of notifications, ensuring that affected individuals are informed as swiftly as possible. By balancing the need for immediate action with the necessity of legal compliance, the amendment strives to enhance the transparency and efficiency of the data breach notification process.

Historical Context and Future Implications

In a significant move to enhance data protection, New York Governor Kathy Hochul signed an amendment to the New York General Business Law § 899-aa on December 24, 2024. This amendment sets a clear timeline for data breach notifications, requiring businesses to inform affected New York residents within thirty days of discovering a breach. The amendment also mandates that the New York Department of Financial Services (NYDFS) be included among the notified state regulators, joining the State Attorney General, the New York Department of State, and the New York State Police. This change aims to streamline and speed up the notification process, ensuring that residents and relevant authorities are swiftly alerted to data breaches.

Before this amendment, businesses were required to notify residents “in the most expedient time possible and without unreasonable delay.” However, this vague phrasing made compliance difficult and inconsistent. By establishing a definitive thirty-day deadline, New York aligns with states like Colorado, Florida, Maine, and Washington, which have similar specific timelines. This change highlights New York’s strong commitment to prompt and effective responses to data breaches.

Subscribe to our weekly news digest.

Join now and become a part of our fast-growing community.

Invalid Email Address
Thanks for Subscribing!
We'll be sending you our best soon!
Something went wrong, please try again later