The amendment, which took effect immediately, incorporates provisions that other states have adopted in recent years. First, the amendment shortens the timeline for notifying consumers about data breaches. Second, the amendment adds regulatory reporting requirements.
Additional amendments that will take effect later this year also expand the scope of information classified as protected “personal information” under New York law, following another trend in many states.
The New York law as amended requires persons or businesses who own or license computerized data that includes private information to disclose any breach of the security of the system, as defined by the law, to any New York resident within 30 days of the date that the breach is discovered. The amendment also removed an exception that allowed businesses the time to take measures necessary to determine the scope of the breach and restore the integrity of the system before notification. Similarly, persons or businesses who maintain computerized data that includes private information that they do not own, must provide notice of the breach to the owner or licensee within 30 days. Previously, the law required notification to New York residents in “the most expedient time possible and without unreasonable delay,” and to data owners immediately after discovery.
The law was also amended to require notice to the New York Department of Financial Services when any New York resident is notified. This is in addition to already existing requirements to notify the state Attorney General, the Department of State, and the Division of State Police. However, a chapter amendment referenced in the Governor’s signing memorandum on Senate Bill 2659-B was introduced on January 8. The Amendment clarifies that if the company is not a Covered Entity under the New York Department of Financial Services, it does not have to notify the NYDFS of a data breach.
State and federal data breach laws are constantly changing. The New York amendments are consistent with current trends in state data breach law that add or shorten deadlines for businesses to notify consumers of data breaches. And as New York’s recent flurry of amendments demonstrates, the laws can often contain confusing or even contradictory sections.
