NY Amends Data Breach Reporting Law to Clarify Reporting to NYDFS

New York has recently enacted an amendment to the state’s data breach reporting law to clarify which types of entities must report a data breach to the N.Y. Department of Financial Services (NYDFS).

New York law has generally required entities which experience a data breach to notify any New York residents whose private information was exposed within 30 days of discovery of the breach.  Until this amendment goes into effect, such entities have also been required to simultaneously notify the state Attorney General, the Department of State, the Division of State Police, and NYDFS with information about the breach and the notifications which were sent to the state’s residents.  As written, the statute could have been read to require reporting to NYDFS even if the reporting entity was not regulated by NYDFS.

Separately, NYDFS had previously adopted cybersecurity regulations which cover most financial services providers whom NYDFS regulates.  Among other things, these cybersecurity regulations require covered entities to notify NYDFS of a data breach within 72 hours of discovery.

The legislature amended the state’s data breach reporting statute to clarify that notification of the breach only needs to be sent to NYDFS if the reporting entity is already one of the types of entities covered by the NYDFS cybersecurity regulations, and that this notification to NYDFS should comply with the requirements set forth in those regulations.