New York just finished a series of adjustments to its data breach notification requirements. Effective immediately, organizations must notify impacted individuals of a data breach within 30 days of its discovery instead of “in the most expedient time possible and without unreasonable delay.” Moreover only entities regulated by the New York Department of Financial Services (DFS) must notify it of a data breach. While the December 2024 revisions read as though any organization notifying the NY Attorney General must also notify DFS, an amendment enacted on February 14, 2025 undid this change.

In terms of substance, effective March 21, 2025, the definition of “personal information” under New York’s general security breach notification law will include medical and health insurance information. Medical information is any information relating to the following:

• an individual’s medical history;
• mental or physical condition; or
• medical treatment or diagnosis by a health care professional.

Health insurance information means the following:

• health insurance policy number or subscriber identification number;
• any unique identifier used by a health insurer to identify the individual; or
• any information in an individual’s application and claims history, including, but not limited to, appeals history.

These changes reflect a trend among states to bolster consumer privacy and are pursuant to two bills S2659B/A8872A and S2376B/A4737B signed into law by Governor Kathy Hochul on December 21, 2024, along with a chapter amendment enacted February 14, 2025, which clarified that the DFS requirements continue to apply only to those individuals and organizations subject to DFS’ jurisdiction.

Organizations should be mindful of them and assess their data privacy practices. Norton Rose Fulbright can assist with cybersecurity incident response in light of these new requirements or compliance programming.