New York’s legislature has announced two new amendments and a clarification to the State’s cyber law involving data breaches, highlighting important changes in cyber regulations, reports the indispensable JD Supra.
Businesses now have a 30-day deadline to notify residents impacted by covered breaches and, if the hack involves financial matters, the New York Department of Financial Services (NYDFS), among others, must also be notified. New York also expanded the definition of information falling under these regulations, adding medical and health insurance data, apparently creating some redundancies with the fed’s HIPAA, or Health Insurance Portability and Accountability Act.

Deadlines in Cyber Regulations Don’t Apply to State
But what happens if the hack of a New York State IT system creates a similar breach? JD Supra diplomatically notes: “New York agencies, however, are not bound by the 30-day deadline. State agencies must notify affected individuals in the most expedient time possible and without unreasonable delay.”
When last we checked in with New York State cyber regulations, it was insurance regulators warning insurance companies that their AI technologies better not hurt “protected classes” or “perpetuate or amplify systemic biases that have resulted in unlawful or unfair discrimination.”