On December 24, New York Gov. Kathy Hochul (D) signed into law an amendment to section 899-aa of the N.Y. General Business Law, also known as The Shield Act, modifying the law’s data breach notification requirements.
The amendment, which took effect immediately, incorporates provisions that other states have adopted in recent years. First, the amendment shortens the timeline for notifying consumers about data breaches. Second, the amendment adds regulatory reporting requirements.
Additional amendments that will take effect later this year also expand the scope of information classified as protected “personal information” under New York law, following another trend in many states.
The New York law as amended requires persons or businesses who own or license computerized data that includes private information to disclose any breach of the security of the system, as defined by the law, to any New York resident within 30 days of the date that the breach is discovered. The amendment also removed an exception that allowed businesses the time to take measures necessary to determine the scope of the breach and restore the integrity of the system before notification. Similarly, persons or businesses who maintain computerized data that includes private information that they do not own, must provide notice of the breach to the owner or licensee within 30 days. Previously, the law required notification to New York residents in “the most expedient time possible and without unreasonable delay,” and to data owners immediately after discovery.
The law was also amended to require notice to the New York Department of Financial Services when any New York resident is notified. This is in addition to already existing requirements to notify the state Attorney General, the Department of State, and the Division of State Police. However, a chapter amendment referenced in the Governor’s signing memorandum on Senate Bill 2659-B was introduced on January 8. The Amendment clarifies that if the company is not a Covered Entity under the New York Department of Financial Services, it does not have to notify the NYDFS of a data breach.
State and federal data breach laws are constantly changing. The New York amendments are consistent with current trends in state data breach law that add or shorten deadlines for businesses to notify consumers of data breaches. And as New York’s recent flurry of amendments demonstrates, the laws can often contain confusing or even contradictory sections.
The Constangy Cyber Team regularly counsels businesses of all sizes and industries on how to comply with the growing number of data privacy laws and regulations. If you would like additional information on how to prepare your organization, please contact us at cyber@constangy.com.
PartnerAs a member of our incident response team, Bert applies several years of experience managing responses to data privacy and security incidents. He assists clients with a variety of data privacy and security matters, including ...
PartnerLauren guides clients through data security incidents, leading initial assessments and coordinating forensic and remediation efforts to contain, investigate, and resolve issues. She helps clients develop privacy, incident ...
The Constangy Cyber Advisor posts regular updates on legislative developments, data privacy, and information security trends. Our blog posts are informed through the Constangy Cyber Team's experience managing thousands of data breaches, providing robust compliance advisory services, and consultation on complex data privacy and security litigation.
