New York modifications information breach legislation—in December and February

New York simply completed a sequence of changes to its information breach notification necessities. Efficient instantly, organizations should notify impacted people of a knowledge breach inside 30 days of its discovery as a substitute of “in essentially the most expedient time potential and with out unreasonable delay.” Furthermore solely entities regulated by the New York Division of Monetary Companies (DFS) should notify it of a knowledge breach. Whereas the December 2024 revisions learn as if any group notifying the NY Legal professional Basic should additionally notify DFS, an modification enacted on February 14, 2025 undid this transformation.

When it comes to substance, efficient March 21, 2025, the definition of “private info” below New York’s normal safety breach notification legislation will embrace medical and medical insurance info. Medical info is any info referring to the next:

• a person’s medical historical past;
• psychological or bodily situation; or
• medical therapy or analysis by a well being care skilled.

Medical health insurance info means the next:

• medical insurance coverage quantity or subscriber identification quantity;
• any distinctive identifier utilized by a well being insurer to establish the person; or
• any info in a person’s software and claims historical past, together with, however not restricted to, appeals historical past.

These modifications mirror a pattern amongst states to bolster shopper privateness and are pursuant to 2 payments S2659B/A8872A and S2376B/A4737B signed into legislation by Governor Kathy Hochul on December 21, 2024, together with a chapter modification enacted February 14, 2025, which clarified that the DFS necessities proceed to use solely to these people and organizations topic to DFS’ jurisdiction.

Organizations ought to be conscious of them and assess their information privateness practices. Norton Rose Fulbright can help with cybersecurity incident response in mild of those new necessities or compliance programming.

New York simply completed a sequence of changes to its information breach notification necessities. Efficient instantly, organizations should notify impacted people of a knowledge breach inside 30 days of its discovery as a substitute of “in essentially the most expedient time potential and with out unreasonable delay.” Furthermore solely entities regulated by the New York Division of Monetary Companies (DFS) should notify it of a knowledge breach. Whereas the December 2024 revisions learn as if any group notifying the NY Legal professional Basic should additionally notify DFS, an modification enacted on February 14, 2025 undid this transformation.

When it comes to substance, efficient March 21, 2025, the definition of “private info” below New York’s normal safety breach notification legislation will embrace medical and medical insurance info. Medical info is any info referring to the next:

• a person’s medical historical past;
• psychological or bodily situation; or
• medical therapy or analysis by a well being care skilled.

Medical health insurance info means the next:

• medical insurance coverage quantity or subscriber identification quantity;
• any distinctive identifier utilized by a well being insurer to establish the person; or
• any info in a person’s software and claims historical past, together with, however not restricted to, appeals historical past.

These modifications mirror a pattern amongst states to bolster shopper privateness and are pursuant to 2 payments S2659B/A8872A and S2376B/A4737B signed into legislation by Governor Kathy Hochul on December 21, 2024, together with a chapter modification enacted February 14, 2025, which clarified that the DFS necessities proceed to use solely to these people and organizations topic to DFS’ jurisdiction.

Organizations ought to be conscious of them and assess their information privateness practices. Norton Rose Fulbright can help with cybersecurity incident response in mild of those new necessities or compliance programming.