New York Tightens the Breach Clock: 30 Days to Notify

Recent amendments to New York General Business Law § 899-aa, New York’s data breach notification law, coincide with a long-term shift across states toward broader definitions of personal information and stricter notice timing requirements. Organizations that process data of any of New York’s 20 million residents should consider how the changes will impact existing organizational approaches to incident response and breach notification.

These amendments introduced three key changes to the breach notification law: a new 30-day breach notice timeline, a requirement that New York Department of Financial Services (DFS)-regulated entities must notify DFS of a breach and an updated definition of “private information” that includes medical and health insurance information. The amendments were signed into law by Gov. Kathy Hochul in December and followed by a further clarifying amendment in February.

30 days to notify

Effective Dec. 21, 2024, any business that experiences a breach of New York residents’ private information must notify affected residents within 30 days of discovering the breach. The amendment maintains the exception for delays “for the legitimate needs of law enforcement.” Prior to this amendment, the requirement was to provide notice “in the most expedient time possible and without unreasonable delay” with no specified timeline.

The 30-day notice  requirement also applies to service providers who must instead notify their customer — the data owner — of any breach. Service providers are still required to notify the data owner of any breach immediately following discovery of a breach, but the law now specifies that such notice must be made within 30 days following discovery of a breach.

With this amendment, New York joins nearly 20 other states that require notice within a specific number of days (typically 30 to 60) after discovering a data breach.

Data Privacy

Your Sensitive Data Is Now a National Security Matter: The DOJ’s New Data Security Program

by Randall Cook, Vince Mekles and Rachel Woloszynski

April 29, 2025

90-day implementation window closing on regulations affecting companies with genomic, biometric, health and other personal information

Read moreDetails

Notification to NY Department of Financial Services

Also effective Dec. 21, 2024, any DFS-regulated business that notifies any New York resident of a breach is required to notify DFS, in addition to the New York State attorney general, the New York Department of State and the state police. The original text of the amendment implied that all businesses were obligated to notify DFS, but a further amendment signed into law Feb. 14 clarifies that this requirement applies only to DFS‑regulated businesses. The attorney general maintains a form for simultaneous notice to the attorney general, department of state and state police, but DFS-regulated businesses will need to notify DFS of a breach of private information separately, consistent with the existing DFS cybersecurity event reporting requirement found in 23 NYCRR 500.17.

This amendment does not necessarily expand the DFS cybersecurity event reporting requirement; under 23 NYCRR 500.17, DFS-regulated entities are already required to notify DFS of cybersecurity events that require notice to other government bodies (such as the attorney general, department of state and state police). However, the amendment solidifies the requirement to notify DFS, in addition to their other regulators, in the body of the data breach notification law itself.

New notice requirements for medical and health insurance information

As of March 21, the definition of covered information includes medical and health insurance information. New York state did not previously require notification for breaches that impacted medical or health insurance information. Under the amended law, medical and health insurance information are defined as follows:

• Medical information: Any information regarding an individual’s medical history, mental or physical condition or medical treatment or diagnosis by a healthcare professional.
• Health insurance information: An individual’s health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual or any information in an individual’s application and claims history, including, but not limited to, appeals history.

This change will have little impact on HIPAA-regulated entities navigating health information breaches in New York as the law provides a HIPAA exception to individual notice (while still requiring these entities to notify the attorney general, department of state and state police of the breach). However, life sciences and healthcare companies that are not bound by HIPAA, as well as other entities that may process covered medical information, will need to consider this expanded definition in incident response and breach notification planning going forward.

With this amendment, New York joins two dozen other states that include health and medical information in the definition of personal information under their breach notification laws.

Implications for incident response and breach notification

Organizations may need to adapt their existing incident response plans to align with the new requirements. Notification within 30 days is among the shortest breach notice timing requirements across the US, and timely and accurate breach notifications require significant proactive work, including organizational knowledge about data storage and classifications, legal counsel to prepare compliant notifications to individuals and regulators and, as needed, relationships with third-party forensic, data review or notification vendors to support the timely response.

Additionally, entities that are not regulated by HIPAA but that process medical or health insurance information will need to consider the specific impact this law will have on their breach notice process going forward. Data classification policies or data review processes may also require updates to align with the expanded definition of personal information and enable organizations to make prompt and accurate breach notices.

US trends

New York is far from the first state to expand the definition of personal or private information, extend the application of its data breach notification laws or require swift notice following a data breach. These amendments are part of a national trend toward more expansive rights to privacy and increased focus on reasonable cybersecurity that prioritizes the protection of personal and other sensitive data.

Over the past 10 years, many US states have extended their data breach notification laws to cover types of personal information beyond those historically associated with identity theft and financial fraud, like government-issued identifiers and financial account information. Some of the most common additions to covered information under these laws have been health and medical information, biometric and genetic information, account credentials and precise geolocation data, in states like Illinois, Oregon and Rhode Island. States that had no prior data breach notification law have also included more expansive definitions of covered personal information in their new data breach notification laws, like South Dakota, New Mexico and Alabama. The same is true for quick notice timelines; new data breach notification laws and amendments to existing laws are including specific and shorter notice timing requirements, though 30 to 60 days after discovery of a breach is still the typical timeframe.

Organizations that process personal information should be aware of the trend toward broader definitions of covered information and quicker deadlines for data breach notice. Preparation and ongoing review of incident response strategies will be key for organizations that are expected to notify of data breaches more frequently and more quickly than ever before.