New York Updates Data Breach Notification Law
New York has strengthened its data breach notification requirements with amendments signed into law by Governor Kathy Hochul. Effective December 21, 2024, businesses must:
– notify affected New York residents within 30 days of discovering a breach, replacing the previous, less defined standard. Exceptions apply if law enforcement determines that immediate disclosure could impede investigations.
– notify the New York Department of Financial Services (NYDFS) in the event of a breach, alongside the Attorney General, Department of State, and Division of State Police.
Starting March 25, 2025, the law also broadens the definition of private information to include medical data, such as an individual’s health history or diagnoses, and health insurance details like policy numbers and claims records.
DOJ Rule on Sensitive Data Transfers
On a national level, the DOJ finalized a rule restricting the transfer of sensitive personal data to foreign adversaries, effective April 8, 2025. This rule prohibits U.S. entities from sharing bulk sensitive data with nations like China, Cuba, Iran, North Korea, Russia, and Venezuela, or a ‘covered person’ associated with these nations (including an entity that is majority-owned by a country of concern, organized under the laws of a country of concern, has its principle place of business in a country of concern, or is an individual whose primary residence is in a county of concern). Sensitive data is broadly defined to include geolocation, biometric identifiers, genetic information, personal health data, and financial records, among other categories.
By October 6, 2025, businesses will also be required to implement due diligence and audit measures for restricted transactions to ensure compliance.
We are available to assist in reviewing your business’ data breach response plans and international data transfer policies to ensure alignment with the new regulations.
Contacting Pavia & Harcourt LLP
Questions regarding matters discussed in this publication may be directed to Giovanni Spinelli at [email protected] or Alberto Canton at [email protected].
About Pavia & Harcourt LLP
Established in 1951, Pavia & Harcourt LLP is a business law firm concentrating in international commercial and corporate transactions, banking, media and entertainment, real estate, litigation and arbitration, intellectual property, estate planning and administration, and matrimonial law. We are based in New York City.
Return to Top