N.Y. Sets 30-Day Deadline for Data Breach Notifications
Privacy attorneys flagged changes to complying with New York’s data breach law in 2025. New York Gov. Kathy Hochul (D) last month signed two bills amending New York’s data breach law.
Sign up for a free preview to unlock the rest of this article
One measure (A-8872/S-2659) sets a 30-day deadline for businesses to notify the state about a data breach, effective immediately. Previously, businesses were required to notify only as quickly as possible and without unreasonable delay, blogged Jackson Lewis attorney Joseph Lazzarotti on Friday. “There was no outside time frame by which the notice must be provided.”
“With breach notification requirements under federal law, the laws in all states and several localities, and increasingly embedded in contract obligations, it can be difficult stay up to date, particularly if the company is in the middle of handling the breach,” said Lazzarotti. “This is one more reason why we recommend maintaining an incident response plan.”
In addition, the Hochul-signed S-2376/A-4737 adds medical and health insurance information to the definition of identity theft, effective March 21. “New York joins a growing list of states to include these elements in their breach laws,” blogged Sheppard Mullin lawyers Liisa Thomas and Kathryn Smith on Friday.