On December 21, 2024, New York Governor Kathy Hochul signed legislation introducing key updates to the state’s data breach notification and cybersecurity laws. These changes aim to protect consumer data, enhance privacy, and address emerging cybersecurity challenges.
Key Legislative Updates
Tighter Notification Deadlines
Entities must notify affected individuals of a data breach within 30 days of discovery, ensuring prompt disclosure. This change eliminates ambiguity in the previous law, which required notification "without unreasonable delay."
Businesses must also notify the Department of Financial Services in addition to the Attorney General, Department of State, and Division of State Police.
Broader Definition of "Private Information"
The law now includes medical and health data, such as health insurance information, in its definition of private information. This expansion means more types of breaches will trigger notification requirements.
Restrictions on Debt Collection Practices
Debt collection via social media platforms is now prohibited, safeguarding consumers from potential online harassment.
Security Standards for State-Procured Devices
State agencies must ensure devices meet the NIST Cybersecurity Framework, enhancing protections for state-managed digital infrastructure.
Transparency for Online Dating Platforms
Dating platforms must implement clear disclosure practices and better safeguard user data to prevent fraud and misuse.
Mandatory Reporting for Social Media Companies
Social media platforms must update their terms of service to address hate speech and submit semi-annual reports detailing their content moderation practices.
Implications for Businesses
These changes highlight New York’s commitment to consumer privacy and cybersecurity. Businesses operating in the state or handling the data of New York residents must:
- Review and update data protection protocols.
- Ensure compliance with tighter breach notification deadlines.
- Expand safeguards to include medical and health-related data.
Failure to comply could result in significant legal and financial penalties. Businesses are encouraged to consult legal experts specializing in cybersecurity to address these updates effectively.
Apex Technology Services, a leading New York-based MSP, provides tailored cybersecurity solutions designed to protect businesses from evolving cyber threats. Their expertise ensures that companies can maintain the security, confidentiality, and integrity of private information, thereby avoiding the pitfalls experienced by the state of RI.
Investing in professional cybersecurity services not only helps prevent data breaches but also ensures compliance with industry regulations, avoiding hefty fines and legal complications. In an era where cyber threats are increasingly sophisticated, entrusting your company's cybersecurity to experts like Apex Technology Services is a prudent decision to protect your business and its stakeholders.