On December 24, 2024, New York Governor Kathy Hochul signed into law an amendment to New York General Business Law § 899-aa modifying the state’s data breach notification requirements.  The amended law, which is effective immediately, imposes new requirements businesses must follow when providing notifications following a data breach affecting New York residents.  Specifically, businesses now must disclose data breaches affecting New York residents within thirty days from the discovery of a breach.  Additionally, the amendment adds the New York Department of Financial Services (“NYDFS”) to the list of state regulators that must be notified whenever a breach requiring notification to New York residents occurs. 

New York’s data breach notification law requires persons and businesses that own or license data containing personal information (“PI”) to notify affected New York residents, certain state regulators, and (in some circumstances) consumer reporting agencies following a “breach” of PI.  A separate provision requiring notification to data owners and licensees applies to businesses and persons that maintain but do not own data containing New York residents’ PI.   

Prior to the amendment, New York’s data breach notification law did not set an explicit timeframe for data owners to notify residents whose PI was impacted.  Instead, the statute called for notification to residents “in the most expedient time possible and without unreasonable delay.”  This language is prevalent in state data breach notification statutes, and recent case law is not determinative of what constitutes a reasonable time period between determination of a breach and notification.  While New York’s law as amended preserves this language, it eliminates any doubt as to the outer bounds for timeliness by setting a thirty-day limit for notification of breaches involving PI of New York residents. 

The thirty-day notification requirement is the shortest among states that establish an explicit deadline for notification to individuals; however, it is not unique.  The New York amendment follows the lead of nearly identical provisions found in Colorado, Florida, Maine, and Washington’s data breach notification laws, which also impose a thirty-day limit for notification to individual state residents.

The revised law eliminates language that allowed businesses to delay notification to state residents “consistent with. . . any measures necessary to determine the scope of the breach and restore system integrity”; however, the “legitimate needs of law enforcement” remain valid grounds for delaying notification to affected residents.

The amendment also introduces a thirty-day deadline for businesses that maintain but do not own data containing PI to notify the owner or licensee in the event of a breach.  While the prior law required such notification to be made “immediately,” the amendment adds a clarification that, in any event, “such notification shall be made within thirty days following discovery.” 

The amendment further adds NYDFS to the list of state government regulators that must be notified in the event of a PI breach affecting New York residents.  Prior to the amendment, New York’s law required notice to the State Attorney General, the New York Department of State, and the New York State Police if any New York residents were notified of an incident pursuant to the law.  This reporting requirement is distinct from both the 72-hour cybersecurity incident notification requirement and the 24-hour extortion payment notification requirement that apply to NYDFS licensed financial institutions under 23 NYCRR Part 500.

Prior to the December 2024 amendment, the latest change to New York’s data breach notification law was introduced in 2019 via the Stop Hacks and Improve Electronic Data Security (“SHIELD”) Act, which broadened the scope of PI and the definition of breach.  The SHIELD Act also expanded the data security provisions applicable to any person or business that owns or licenses data containing New York residents’ PI.

Tags: breach notification, Cybersecurity, Data Breach, Data Security, Legislation, New York, New York Department of Financial Services
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Ashden Fein Ashden Fein

Ashden Fein is co-chair of Covington’s Data Privacy and Cybersecurity Practice. He advises clients on cybersecurity and national security matters, including crisis management and incident response, risk management and governance, government and internal investigations, and regulatory compliance. Ashden also serves as lead counsel…

Ashden Fein is co-chair of Covington’s Data Privacy and Cybersecurity Practice. He advises clients on cybersecurity and national security matters, including crisis management and incident response, risk management and governance, government and internal investigations, and regulatory compliance. Ashden also serves as lead counsel in criminal, civil, and internal investigations involving cybersecurity, insider risk, and U.S. national security issues.

Ashden regularly counsels clients on preparing for and responding to cyber-based attacks, assessing security controls and practices for the protection of data and systems, developing and implementing cybersecurity risk management and governance programs, and complying with federal and state regulatory requirements. Ashden frequently supports clients as the lead investigator and crisis manager for global cyber and data security incidents, including data breaches involving personal data, advanced persistent threats targeting intellectual property across industries, state-sponsored theft of sensitive U.S. government information, extortion and ransomware, and destructive attacks.

Ashden also assists clients from across industries with leading internal investigations and responding to government inquiries related to U.S. national security and insider risks. He frequently represents government contractors in False Claims Act matters involving cybersecurity and national security. Additionally, he advises aerospace, defense, and intelligence contractors on security compliance under U.S. national security laws and regulations including, among others, the National Industrial Security Program (NISPOM), U.S. government cybersecurity regulations, FedRAMP, and requirements related to supply chain security.

Before joining Covington, Ashden served on active duty in the U.S. Army as a Military Intelligence officer and prosecutor specializing in cybercrime and national security investigations and prosecutions — to include serving as the lead trial lawyer in the prosecution of Private Chelsea (Bradley) Manning for the unlawful disclosure of classified information to Wikileaks. Ashden is a retired U.S. Army officer.

Read more about Ashden FeinEmail
Show more Show less
Photo of Micaela McMurrough Micaela McMurrough

Micaela McMurrough serves as co-chair of Covington’s global and multi-disciplinary Technology Group, as co-chair of the Artificial Intelligence and Internet of Things (IoT) initiative. In her practice, she has represented clients in high-stakes antitrust, patent, trade secrets, contract, and securities litigation, and other…

Micaela McMurrough serves as co-chair of Covington’s global and multi-disciplinary Technology Group, as co-chair of the Artificial Intelligence and Internet of Things (IoT) initiative. In her practice, she has represented clients in high-stakes antitrust, patent, trade secrets, contract, and securities litigation, and other complex commercial litigation matters, and she regularly represents and advises domestic and international clients on cybersecurity and data privacy issues, including cybersecurity investigations and cyber incident response. Micaela has advised clients on data breaches and other network intrusions, conducted cybersecurity investigations, and advised clients regarding evolving cybersecurity regulations and cybersecurity norms in the context of international law.

In 2016, Micaela was selected as one of thirteen Madison Policy Forum Military-Business Cybersecurity Fellows. She regularly engages with government, military, and business leaders in the cybersecurity industry in an effort to develop national strategies for complex cyber issues and policy challenges. Micaela previously served as a United States Presidential Leadership Scholar, principally responsible for launching a program to familiarize federal judges with various aspects of the U.S. national security structure and national intelligence community.

Prior to her legal career, Micaela served in the Military Intelligence Branch of the United States Army. She served as Intelligence Officer of a 1,200-member maneuver unit conducting combat operations in Afghanistan and was awarded the Bronze Star.

Read more about Micaela McMurroughEmail
Show more Show less
Photo of Caleb Skeath Caleb Skeath

Caleb Skeath helps companies manage their most complex and high‑stakes cybersecurity and data security challenges, combining deep regulatory insight, technical fluency, and practical judgment informed by leading incident response matters.

Caleb Skeath advises in‑house legal and security teams on the full lifecycle of…

Caleb Skeath helps companies manage their most complex and high‑stakes cybersecurity and data security challenges, combining deep regulatory insight, technical fluency, and practical judgment informed by leading incident response matters.

Caleb Skeath advises in‑house legal and security teams on the full lifecycle of cybersecurity and privacy risk—from governance and preparedness through incident response, regulatory engagement, and follow‑on litigation. A Certified Information Systems Security Professional (CISSP), he is trusted by clients across highly regulated and technology‑driven sectors to provide clear, practical guidance at moments when legal judgment, technical understanding, and business realities must be aligned.

Caleb has deep experience leading and overseeing responses to complex cybersecurity incidents, including ransomware, data theft and extortion, business email compromise, advanced persistent threats and state-sponsored threat actors, insider threats, and inadvertent data loss. He regularly helps in‑house counsel structure and manage investigations under attorney‑client privilege; coordinate with internal IT, information security, and executive stakeholders; and engage with forensic firms, crisis communications providers, insurers, and law enforcement. A central focus of his practice is advising on notification obligations and strategy, including the application of U.S. federal and state data breach notification laws and requirements along with contractual notification obligations, and helping companies make defensible, risk‑informed decisions about timing, scope, and messaging.

In addition to his work responding to cybersecurity incidents, Caleb works closely with clients’ legal, technical, and compliance teams on cybersecurity governance, regulatory compliance, and pre‑incident planning. He has extensive experience drafting and reviewing cybersecurity policies, incident response plans, and vendor contract provisions; supervising cybersecurity assessments under privilege; and advising on training and tabletop exercises designed to prepare organizations for real‑world incidents. His work frequently involves translating evolving regulatory expectations into actionable guidance for in‑house counsel, including in highly-regulated sectors such as the financial sector (including compliance with NYDFS cybersecurity regulations, the Computer Security Incident Notification Rule, and GLBA guidelines and guidance) and the pharmaceutical and healthcare sector (including compliance with GxP standards, FDA medical device guidance, and HIPAA).

Caleb’s practice also addresses evolving and emerging areas of cybersecurity and data security law, including advising clients on compliance with the Department of Justice’s Data Security Program, CISA‑related security requirements for restricted transactions, and preparation for new regulatory regimes such as the CCPA cybersecurity audit requirements and federal incident reporting obligations. He regularly counsels clients on how artificial intelligence and connected devices intersect with cybersecurity, privacy, and consumer protection risk, and how to support innovation while managing regulatory exposure.

Caleb also has extensive experience helping clients navigate high-stakes cybersecurity-related inquiries from the Federal Trade Commission, state Attorneys General, and other sector-specific regulators, including incident-specific inquiries as well as broader inquiries related to an entity’s cybersecurity practices and the security of product or service offerings. For companies that have entered into cybersecurity-related settlement agreements with regulators, Caleb has helped guide them through compliance with settlement agreement obligations, including navigating required third-party assessments and strategically responding to cybersecurity incidents that can arise while a company is subject to a settlement agreement. Caleb also routinely works hand-in-hand with colleagues in Covington’s class action litigation, commercial litigation, and insurance recovery practices to prepare for and successfully navigate incident-related disputes that can devolve into litigation.

Read more about Caleb SkeathEmail
Show more Show less
Photo of Moriah Daugherty Moriah Daugherty

Moriah Daugherty advises clients on a broad range of cybersecurity and national security matters, with a particular focus on risk management and governance, regulatory compliance, incident response and crisis management, and internal and government investigations.

Moriah specializes in counseling clients on a variety…

Moriah Daugherty advises clients on a broad range of cybersecurity and national security matters, with a particular focus on risk management and governance, regulatory compliance, incident response and crisis management, and internal and government investigations.

Moriah specializes in counseling clients on a variety of issues related to cybersecurity risk management and governance, including evaluating security controls, practices, and policies and preparing for cybersecurity incidents and data breaches, including the potential for related investigations, regulatory inquiries, and litigation. She regularly counsels clients on responding to a broad range of cybersecurity incidents, including breaches of personal data and incidents involving extortion and ransomware, targeting and theft of intellectual property by advanced persistent threats, and state-sponsored theft of sensitive U.S. government information.

Drawing on her government experience, Moriah leads cyber-related internal investigations and investigations conducted in response to government inquiries, whistleblower complaints, and threats of litigation, including matters involving allegations of noncompliance with U.S. government cybersecurity regulations and fraud under the False Claims Act.

Prior to becoming a lawyer, Moriah spent eight years working for the Federal Bureau of Investigation and U.S. Department of Justice.

Read more about Moriah DaughertyEmail
Show more Show less