Did you raise an eyebrow when the bells rang in 2025, courtesy of New York, dear chums? You know, New York Governor Hochul grabbing the Oath of Office pen and signing two key bills (A8872A and S2376B). They carried the weight of amending the New York data breach law, which honestly, needed a bit of spit and polish.
We’re talking serious tectonic shifts in what’s classified as personal information under the law and how quickly notifications need to happen after a data breach. The quickened notification pace is already in full swing, while the redefinition of personal information will step in the spotlight come March 21, 2025.
As things stand amended, now an organisation has a tight 30-day window from spotting a breach to notifying the people it impacted. It was all a little less precise before, with companies urged to make notifications “in the most expedient time possible and without reasonable delay.” We all know how subjective that can be, yes?
Exceptions to the deadline, though, still exist to serve law enforcement’s legitimate requirements. Far from stripping them of their necessity, one just has to appreciate the understanding that not everything is black and white.
Then there’s the who-to-notify dance routine. Listing out in your little black book, you’d find the NY Attorney General, Department of State, and the Division of State Police from before, but now there’s a noteworthy addition. Some scribbling might be in order, as we’ve now got the New York Department of Financial Services to also ping on the radar. Enough to make your head spin, eh? But no worries, there’s a handy form on the New York AG’s website that lets you reach out to each of them in a flash.
Now, there’s a juicy bit for my friends in the healthcare community. S2376B/A4737B also thickens the safety blanket around medical data and health insurance data, including them now in the definition of personal information in cases of identity theft. It’s about time, don’t you reckon?
To put it in contract speak, two fresh paragraphs (d and e) now define “medical information” and “health insurance information.” Medical information concerns anything about an individual’s medical history, physical or mental state, or any treatment or diagnosis by a healthcare professional.
Meanwhile, health insurance information speaks to an individual’s health insurance policy number, subscriber ID, any unique identifier a health insurer uses to spot the individual, plus any information in an individual’s application and claims history, even appeals history.
All in all, a fundamental rethink of what personal information covers and how swiftly we must respond to privacy breaches. It’s astonishing, really, but needless to say, some serious behind the scenes dealing is taking place in New York’s data protection world.
by Parker Bytes
