New York Gov. Kathy Hochul has signed several bills that are designed to strengthen protections of the personal data of consumers. One of those bills (Senate Bill S2659B) makes important changes to the notification timing requirements under the Empire State’s breach notification law (Section 899-aa of the New York General Business Law). S2659B was effective immediately upon its signature on Dec. 21, 2024.
All 50 states have enacted at least one data breach notification law. Some states, such as California, have more than one statute—a generally applicable statute and another applying to certain health care entities. Over the years, many of these states have updated their laws in different respects. For example, some have expanded the definition of personal information, resulting in broader categories of personal information triggering a potential notification requirement if breached. Others have added requirements to notify at least one state agency, while some states have modified the specific notification requirements, such as the timing of notification. That is one of the changes New York made to its law.
Prior to the change, a business subject to the New York statute that experienced a covered breach would be required to provide notification to affected individuals “in the most expedient time possible and without unreasonable delay.”
There was no outside time frame by which the notice must be provided, but S2659B added a 30-day deadline. So, the law now requires the...
A simmering dispute between a Live Oak businessman and the city’s police department continues to escalate. Newly released body-worn camera footage showed a Live Oak police officer who made a serie...