New York Gov. Kathy Hochul has signed several bills that are designed to strengthen protections of the personal data of consumers. One of those bills (Senate Bill S2659B) makes important changes to the notification timing requirements under the Empire State’s breach notification law (Section 899-aa of the New York General Business Law). S2659B was effective immediately upon its signature on Dec. 21, 2024.
All 50 states have enacted at least one data breach notification law. Some states, such as California, have more than one statute—a generally applicable statute and another applying to certain health care entities. Over the years, many of these states have updated their laws in different respects. For example, some have expanded the definition of personal information, resulting in broader categories of personal information triggering a potential notification requirement if breached. Others have added requirements to notify at least one state agency, while some states have modified the specific notification requirements, such as the timing of notification. That is one of the changes New York made to its law.
Prior to the change, a business subject to the New York statute that experienced a covered breach would be required to provide notification to affected individuals “in the most expedient time possible and without unreasonable delay.”
There was no outside time frame by which the notice must be provided, but S2659B added a 30-day deadline. So, the law now requires the breached entity to provide notification “in the most expedient time possible and without unreasonable delay, provided that such notification shall be made within 30 days after the breach has been discovered.”
Notably, prior to the change, the law excluded from this timing requirement the “legitimate needs of law enforcement” and “any measures necessary to determine the scope of the breach and restore the integrity of the system.” The “legitimate needs of law enforcement” exception remains in the law, but determining the scope of the breach and restoring system integrity do not.
S2659B also made a change to the state agencies that must be notified in the event of a breach under the statute. Under the prior law, if any New York residents were to be notified under the state’s breach notification law, the state attorney general, the New York Department of State, and the New York State Police all needed to be notified. The new law adds the New York Department of Financial Services to the list.
With companies facing breach notification requirements under federal law, laws in all states and several localities, and increasingly as part of contract obligations, it can be difficult to stay up-to-date, particularly if the company is in the middle of handling the breach. In addition to it being required in some scenarios, this is one more reason why it’s recommended to maintain an incident response plan. Such a plan is a good place to track these kinds of developments for the company’s incident response team.
Joseph J. Lazzarotti is an attorney with Jackson Lewis in Berkeley Heights, N.J. © 2025 Jackson Lewis. All rights reserved. Reposted with permission.
An organization run by AI is not a futuristic concept. Such technology is already a part of many workplaces and will continue to shape the labor market and HR. Here's how employers and employees can successfully manage generative AI and other AI-powered systems.
Related Content
HR must always include human intelligence and oversight of AI in decision-making in hiring and firing, a legal expert said at SHRM24. She added that HR can ensure compliance by meeting the strictest AI standards, which will be in Colorado’s upcoming AI law.
The proliferation of artificial intelligence in the workplace, and the ensuing expected increase in productivity and efficiency, could help usher in the four-day workweek, some experts predict.
Learn how Marsh McLennan successfully boosts staff well-being with digital tools, improving productivity and work satisfaction for more than 20,000 employees.