In December 2024, New York Governor Kathy Hochul signed into law two bills (A8872A and S2376B; collectively, the “Bills”) that amend New York’s Data Breach Notification Law.1 The Bills introduce a maximum thirty-day timeframe for notifying affected New York residents of a reportable “breach of the security of the system”2 under state law (a “Data Breach”), require Data Breaches to be reported to the New York State Department of Financial Services (“NYSDFS”), and add medical information and health insurance information to categories of private information that may be subject to a Data Breach. According to their legislative history, the Bills were introduced in order to address “a broad sense of uncertainty by experts and lawmakers as to which federal regulations, if any, [are] charged with the responsibility to monitor and do regular supervision on cybersecurity.”3 While the Bills are likely to have a limited effect on HIPAA covered entities and business associates, they stand to significantly impact other persons and businesses in New York, including life sciences and consumer health care companies that are not subject to HIPAA.
Click here to read the full Ropes & Gray client alert.