New York Beefs Up Data Breach Protections

In late 2024, the governor of New York signed several bills relating to data privacy, data breach/identity theft, and social media practices that will affect covered companies' business in New York.  Although some of these new laws are specific to social media, many companies will have to comply with the new data breach reporting requirements.  In brief, those requirements broaden the scope of protected information, the number of agencies to which a data breach must be reported, and the timing of making required reports.

WHY IT MATTERS

All fifty states have laws that govern what a company must do if it suffers a data breach affecting residents of that state.  These laws have been around for about twenty years in one form or another.  Typically, they require notice to affected consumers if a defined set of “personal information” is either accessed or removed from an electronic system.  Typically, they cover a fairly narrow range of information (usually, financial account, driver's license, and PIN/password details), since they were originally conceived as identity theft protection laws in the days when electronic use of banking and identity were relatively new.  If a covered business suffers an attack on the kind of information covered by the statute, it is generally required to report that to the residents of that state whose information was affected; this is why you frequently get email notices from app and website providers informing you that your personal information may have been compromised via a data breach.  In limited cases, the laws provide a time-table for reporting, and may require that the affected company notify the state Attorney General or other authorities of a reportable data breach.

New York's new laws will broaden the reach of its data breach reporting statute in many ways:

• Reportable breaches must be reported within a maximum of 30 days;
• The state financial regulator must be one of the parties notified of any breach affected New York residents; and 
• The scope of personal information that can trigger a reporting requirement has been expanded to include medical and health insurance data.  

For any company doing business in New York, these new requirements could have a substantial impact on the response to any cyber event that involves the data of New York residents.  Companies will have to be able to act quickly in identifying that New York data were involved, assess whether covered information was “breached” within the meaning of the law, and report to several New York regulators including its financial watchdog.  Any company that keeps medical or insurance related information about New Yorkers on hand should be especially aware of these new requirements – the law does not displace HIPAA, but it could create new reporting obligations on consumer health and wellness companies (for example), depending on the kinds of information they handle.