New York has enacted one of the strictest data breach notification laws in the U.S., requiring businesses to alert affected residents and regulators within thirty days of discovering a breach.
On December 24, 2024, New York Governor Kathy Hochul signed an amendment to the state’s data breach notification law. The amendment requires businesses to notify New York residents of data breaches within thirty days of discovery and mandates that the New York Department of Financial Services (NYDFS) be informed when a breach involves New York residents' personal information (PI).
The amendment modifies New York General Business Law § 899-aa and is effective immediately. Previously, the law required businesses to notify affected residents “in the most expedient time possible and without unreasonable delay,” leaving room for interpretation on the timeliness of notifications.
The amendment introduces clear deadlines for breach notifications. Businesses must now notify affected New York residents within thirty days of discovering a breach. It is now one of the strictest notification timelines in the U.S., alongside similar requirements in Colorado, Florida, Maine, and Washington.
In addition to notifying residents, businesses must inform the NYDFS of breaches that trigger resident notifications. Prior to the amendment, New York law required notice to the State Attorney General, the New York Department of State, and the New York State Police, but NYDFS was not included.
The amendment also clarifies that businesses maintaining but not owning data containing New York residents' PI must notify data owners or licensees of breaches within thirty days. This replaces the previous requirement to notify “immediately,” providing a more concrete timeline.
Another notable change is the removal of language allowing businesses to delay resident notifications while investigating the breach and restoring system integrity. However, delays are still permitted to meet law enforcement needs.
Legal experts point out that the amendment provides much-needed clarity on the timeline for notifying residents. Previously, the requirement to notify residents “in the most expedient time possible” left room for interpretation, often leading to disputes over whether businesses acted promptly.
Additionally, NYDFS Commissioner Adrienne Harris welcomed the amendment, stating that adding NYDFS to the notification list will enhance oversight and coordination in protecting consumers.
New York's new 30-day breach disclosure rule reflects a growing trend toward stricter data breach laws as cyberattacks rise. Businesses must update their response plans to detect, investigate, and report breaches faster. Adding the NYDFS to the process signals increased regulatory oversight. As more states follow suit, companies must stay on top of data security and compliance to avoid penalties and reputational harm.
The amendment applies to any business that collects, stores, or maintains personal information (PI) of New York residents, regardless of whether the business is located in New York or another state.
Personal information includes a person’s name combined with sensitive data such as Social Security numbers, financial account details, login credentials, biometric data, or medical information. Unauthorized access to this data triggers the notification requirement.
Businesses that fail to notify affected residents or the New York Department of Financial Services within the 30-day timeframe could face fines, legal action, and penalties imposed by the Attorney General’s office. Repeated violations may increase penalties.
Yes, third-party service providers that manage New York residents' personal information must notify the data owner within thirty days of discovering a breach. The responsibility to notify residents lies with the data owner.
No, the amendment removes the previous allowance to delay notifications while investigating. However, notifications can still be delayed if law enforcement requests them to avoid compromising an active investigation.