New Year, New Data Breach Notification Requirements in New York: Impactful Changes for Life Sciences and Consumer Health Care Companies | Insights

Authors:

Christine Moundas , Gideon Zvi Palte , Elana Bengualid Harary , Julie Kvedar

In December 2024, New York Governor Kathy Hochul signed into law two bills (A8872A and S2376B; collectively, the “Bills”) that amend New York’s Data Breach Notification Law.¹ The Bills introduce a maximum thirty-day timeframe for notifying affected New York residents of a reportable “breach of the security of the system”² under state law (a “Data Breach”), require Data Breaches to be reported to the New York State Department of Financial Services (“NYSDFS”), and add medical information and health insurance information to categories of private information that may be subject to a Data Breach. According to their legislative history, the Bills were introduced in order to address “a broad sense of uncertainty by experts and lawmakers as to which federal regulations, if any, [are] charged with the responsibility to monitor and do regular supervision on cybersecurity.”³ While the Bills are likely to have a limited effect on HIPAA covered entities and business associates, they stand to significantly impact other persons and businesses in New York, including life sciences and consumer health care companies that are not subject to HIPAA.

Specifically, key changes to the New York Data Breach Notification Law include:

Effective immediately, requiring notification of a Data Breach to affected New York residents within thirty days of discovery (although no additional individual notification is required under state law for Data Breaches involving individual notification under HIPAA);
Effective immediately, requiring Data Breach notification to be provided to NYSDFS, in addition to the pre-existing requirement to notify the New York State Attorney General (“NYSAG”), the department of state (“NYSDOS”), the division of state police (“NYSDSP”), and—if more than five thousand New York residents are affected—consumer reporting agencies; and
Effective March 21, 2025, expanding the definition of “private information” that may be subject to Data Breach notification requirements to include medical information and health insurance information.

This alert summarizes these changes.

I. Individual Data Breach Notification Timeframe

New York’s Data Breach Notification Law, which was last significantly updated with the Stop Hacks and Improve Electronic Data Security (“SHIELD”) Act of 2019, requires any person or business that owns or licenses computerized data that includes private information⁴ to disclose any Data Breach to any New York State resident whose private information was, or is reasonably believed to have been, accessed or acquired by a person without valid authorization.⁵ Previously, the law required that such notification be made “in the most expedient time possible and without unreasonable delay.” The Bills provide that “such notification shall be made within thirty days after the breach has been discovered.” Similarly, they require that any person or business that maintains computerized data that includes private information it does not own must notify the owner or licensee of the information within thirty days of a Data Breach.⁶ These changes are effective immediately.

Provisions of New York’s Data Breach Notification Law addressing requirements for reportable Data Breaches under the federal Health Insurance Portability and Accountability Act of 1996, as amended, and its implementing regulations (“HIPAA”) remain in effect. Specifically, just as before, the law does not require additional Data Breach notification to individuals for breaches that are subject to individual notification requirements under HIPAA.⁷ Therefore, HIPAA’s requirement to provide individual breach notifications within sixty days supersedes the new thirty-day requirement in the New York Data Breach Notification Law. In addition, the law still requires notification of HIPAA breaches to the NYSAG within five business days of notification to the Secretary of Health and Human Services.⁸

II. Data Breach Notification to NYSDFS and Other State Agencies

In addition to notification to affected New York residents, New York’s Data Breach Notification Law requires a person or business that has suffered a Data Breach to notify certain state agencies.⁹ The obligation to notify these agencies applies to both HIPAA breaches and non-HIPAA Data Breaches.¹⁰ Previously, the law required notification to the NYSAG, NYSDOS, and NYSDSP as to the timing, content, and distribution of notices provided to affected New York residents and the approximate number of affected persons. The Bills add a requirement to notify NYSDFS as well, effective immediately. Just as before, breaches affecting more than five thousand New York residents must also be reported to consumer reporting agencies.

The new requirement to notify NYSDFS is distinct from existing NYSDFS cybersecurity event notification requirements for certain NYSDFS-regulated entities, which were introduced in late 2023.¹¹ Under this new requirement, any person or business that has suffered a Data Breach involving private information of New York residents will need to notify NYSDFS, regardless of whether it is an NYSDFS-regulated entity. This significantly expands the role of NYSDFS in regulating Data Breaches affecting New York residents. Currently, notifications to NYSAG, NYSDOS, and NYSDSP are submitted simultaneously through the NYSAG’s online breach reporting portal.¹² It remains to be seen whether notification to NYSDFS will be facilitated through the breach reporting portal as well.

Additionally, New York-licensed hospitals should note that, pursuant to regulations adopted in October 2024, they are also required to notify the New York State Department of Health within seventy-two hours after determining that a cybersecurity incident has occurred,¹³ in addition to notification obligations set forth under the Data Breach Notification Law.

III. Expansion of Definition of “Private Information” Subject to Breach Notification Requirements to Include Medical Information and Health Insurance Information

Effective March 21, 2025, the Bills expand the definition of “private information” under New York’s Data Breach Notification Law to include “medical information”¹⁴ and “health insurance information.”¹⁵ This is part of an increasing trend of state breach notification laws that encompass medical and health insurance information. As noted above, pre-existing provisions of the law governing interactions with HIPAA breach reporting requirements remain in effect. Therefore, this expansion of the definition of “private information” is not likely to have a significant effect on HIPAA covered entities and business associates, as individual breach notification obligations under HIPAA still supersede individual notification obligations under the New York Data Breach Notification Law. However, covered entities and business associates are still required to notify NYSAG, NYSDOS, NYSDSP, and now NYSDFS, of a Data Breach, including a HIPAA breach.

Nevertheless, once effective, the revised definition of “private information” will have a significant impact on life sciences and consumer health care companies that are not regulated by HIPAA but that otherwise may maintain medical information or health insurance information. While these companies historically were not required to report Data Breaches involving medical information or health insurance information when the definition of “private information” was not otherwise triggered, they will now have to notify individuals and relevant New York state agencies of such Data Breaches. Consequently, these entities may face increased risk of financial and reputational harm and class action litigation.

IV. Conclusion

Any person or business maintaining computerized data that includes the private information of New York residents is subject to the Bills’ new Data Breach notification requirements. Such persons and businesses should update their breach notification processes to provide for individual notification within thirty days (unless individual notification is provided under HIPAA) and notification to NYSDFS in addition to other state agencies listed in the New York Data Breach Notification Law. Non-HIPAA regulated entities, such as life sciences and consumer health care companies, that maintain medical information and health insurance information should keep in mind that such data will be considered “private information” subject to individual and regulatory Data Breach notification requirements. Such entities should ensure that their cyber liability policies and contractual indemnification rights include coverage for costs related to Data Breaches involving medical information and health insurance information.

N.Y. Gen. Bus. Law ch. 20 art. 39-F.
N.Y. Gen. Bus. Law § 899-aa(1)(c) defines “breach of the security of the system” as unauthorized access to or acquisition of, or access to or acquisition without valid authorization, of computerized data that compromises the security, confidentiality, or integrity of private information maintained by a business. Good faith access to, or acquisition of, private information by an employee or agent of the business for the purposes of the business is not a breach of the security of the system, provided that the private information is not used or subject to unauthorized disclosure.
N.Y. State Assembly Memorandum in Support of Legislation, available at: https://nyassembly.gov/leg/?default_fld=%0D%0A&leg_video=&bn=A08872&term=2023&Summary=Y&Memo=Y&Text=Y.
N.Y. Gen. Bus. Law § 899-aa(1)(b) defines “private information” as either:
1. personal information consisting of any information in combination with any one or more of the following data elements, when either the data element or the combination of personal information plus the data element is not encrypted, or is encrypted with an encryption key that has also been accessed or acquired:
  1. social security number;
  2. driver's license number or non-driver identification card number;
  3. account number, credit or debit card number, in combination with any required security code, access code, password or other information that would permit access to an individual's financial account;
  4. account number, credit or debit card number, if circumstances exist wherein such number could be used to access an individual’s financial account without additional identifying information, security code, access code, or password; or
  5. biometric information, meaning data generated by electronic measurements of an individual's unique physical characteristics, such as a fingerprint, voice print, retina or iris image, or other unique physical representation or digital representation of biometric data which are used to authenticate or ascertain the individual’s identity;
    [Effective March 21, 2025: (6) medical information; or (7) health insurance information;] or
2. a user name or e-mail address in combination with a password or security question and answer that would permit access to an online account.
  “Private information” does not include publicly available information which is lawfully made available to the general public from federal, state, or local government records.
N.Y. Gen. Bus. Law § 899-aa(2).
N.Y. Gen. Bus. Law § 899-aa(3).
N.Y. Gen. Bus. Law § 899-aa(2)(b). The same also applies to Data Breach notifications to New York residents under Title V of the Gramm-Leach-Bliley Act or other New York state laws.
N.Y. Gen. Bus. Law § 899-aa(9).
N.Y. Gen. Bus. Law § 899-aa(8).
These requirements also apply to Data Breach notifications to New York residents under Title V of the Gramm-Leach-Bliley Act or other New York state laws.
For more information on the NYSDFS cybersecurity event notification requirements, see Christine Moundas, NYSDFS Expands Requirements for Cybersecurity Governance, Safeguards and Incident Reporting for New York State Health Insurance Companies, Ropes & Gray LLP (Nov. 20, 2023), https://www.ropesgray.com/en/insights/alerts/2023/11/nysdfs-expands-requirements-for-cybersecurity-governance-safeguards-and-incident.
Available at https://formsnym.ag.ny.gov/OAGOnlineSubmissionForm/faces/OAGSBHome;jsessionid=9ERMyZPM-GdAsEzEA_gmQO-e4M1jBQl2Hb2s3_-xFKR9ns4he9f7!1342623467.
For more information on the hospital cybersecurity incident reporting requirements, see Christine Moundas, Gideon Zvi Palte, and William Shefelman, New York State Adopts New Cybersecurity Program and Incident Reporting Requirements for Hospitals, Ropes & Gray LLP (Oct. 3, 2024), https://www.ropesgray.com/en/insights/alerts/2024/10/new-york-state-adopts-cybersecurity-program-and-incident-reporting-requirements-for-hospitals.
“Medical information” is defined as any information regarding an individual's medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional.
“Health insurance information” is defined as an individual's health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual or any information in an individual's application and claims history, including, but not limited to, appeals history.