New York’s Data Breach Law Updated and What Your Business Needs to Know
New York’s Data Breach Law Updated and What Your Business Needs to KnowIn the ever-changing landscape of data security, staying on top of the latest legal updates is crucial. If your business handles personal information for New York residents, you’ll want to be aware of some significant updates to the state’s data breach notification laws. On December 24, 2024, New York Governor Kathy Hochul signed into law an amendment to the state’s existing data breach law, known as The Shield Act. This new change brings tighter rules for how quickly businesses must notify consumers and introduces additional reporting requirements.
The most immediate change that businesses need to understand is the shortened timeline for notifying individuals affected by a data breach. Under the amended law, businesses now have just 30 days from discovering a breach to notify any impacted New York residents. This is a significant reduction from the previous language, which required notification “without unreasonable delay.” The amendment also removes the previous provision that allowed businesses to take time to assess the breach and restore system integrity before informing affected individuals.
Beyond notifying the affected parties, the amended law also introduces new regulatory reporting obligations. In addition to notifying consumers, businesses will now be required to report breaches to the New York Department of Financial Services (“NYDFS”) whenever a New York resident is impacted. This is in addition to existing obligations to inform the state’s Attorney General, Department of State, and the Division of State Police.
Looking ahead, there are additional updates coming later this year that will expand the definition of “personal information” under New York law. This will align with trends in other states, meaning more types of data will be protected under the state’s data breach laws.
As a business owner or leader, it’s essential to keep in mind that these changes not only impact the notification process but also the overall compliance landscape. Data breach laws are evolving rapidly, and the New York amendments reflect broader trends of shortening deadlines and expanding notification requirements.
Compliance Recommendation.
With these recent updates, it’s more important than ever to ensure your business is prepared for any potential data breach. The 30-day notification deadline leaves little room for delay, and the added regulatory reporting requirements could increase the administrative burden on your team. In light of these changes, we recommend reviewing your data breach response procedures to ensure they align with the new timelines and reporting obligations. It’s also a good idea to stay on top of upcoming amendments to ensure your business remains in compliance.
Finally, given the complexity of data breach laws and the potential penalties for non-compliance, we strongly advise consulting with a legal expert to ensure that your business is fully prepared to navigate these updates and manage any breaches efficiently.
(Image Credit: iStock Photo)
This article is for information purposes only. It is not intended to be and should not be relied on as legal advice for any particular matter.