Skip to the main content.
Making screening easy for candidates

CVC - Mega Menu-01

With Verified Credentials' mobile-first candidate experience, you meet candidates where it's most convenient. Learn how easy we make it.

See how it works ›

Featured resource

Adverse Action Guide_Menu

Gain clarity about your compliance responsibilities with our new Adverse Action Guide! Use the interactive map to learn what regulations apply in your area.

Visit the guide ›

Verified Credentials is a leading background screening company. Since 1984, we’ve helped validate and secure relationships through the use of our comprehensive screening solutions. We offer a wide variety of background checks, verifications, and innovative screening tools.

Get to know us ›

Accredited background screening solutions

Logo-PBSA-Accreditation-120x98

Our accreditation confirms that our policies, processes, and employee training meet rigorous industry compliance standards.

Learn about our solutions ›

2 min read

Updates to New York’s Data Breach Notification Law Explained

In December 2024, New York Governor Kathy Hochul signed two bills amending the state’s current data breach notification law. Senate Bill S2659B and Assembly Bill A8872A aim to strengthen data breach notification requirements, enhance transparency, safeguard consumer data, and hold businesses accountable for breaches. These amendments apply to New York’s previous data breach notification law, expanding the defined qualifications of what is considered a notifiable data breach and establishing more specific guidelines for notifying consumers and government agencies of these breaches.

 

What has changed?

S2376B: Changes to private information categories

S2376B is in effect as of March 21, 2025. It focuses on broadening the categories of qualified private information that businesses are required to address if a data breach occurs.

  • Medical information: The law defines medical information as “any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional.”
  • Health insurance information: Health insurance information is defined as “an individual's health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual, or any information in an individual's application and claims history, including, but not limited to, appeals history.”

To read the full details of the amendments to New York’s data breach notification law, take a closer look here.

A8872A: Changes to timeline and reporting

Previously, businesses had no specific timeframe other than being required to notify affected individuals “in the most expedient time possible and without unreasonable delay.” A8872A adds a timeframe and reporting process businesses are obligated to follow in case of a data breach.

  • Timeline for reporting information: Businesses that discover a data breach involving private information are required to notify affected New York residents within 30 days after a breach is discovered.
  • Government reporting for data breaches: In addition to notifying the New York State Attorney General, the Department of State, and the Division of State Police, businesses are now also required to notify the Department of Financial Services (DFS) in the event of a data breach affecting New York residents.

Take a closer look here to see the full text and amendments regarding reporting requirements and timelines.

Enforcement and penalties

The Attorney General is tasked with making sure organizations follow the notification requirements. Meanwhile, the DFS will monitor financial institutions and related entities to ensure they meet the new notification standards. Entities that fail to comply with the updated reporting requirements are subject to facing legal action, including fines and penalties, as outlined in New York's General Business Law.

 

Keeping up with the evolving world of consumer data

All states currently have pre-existing laws requiring businesses to notify consumers in the case of a data breach, but they vary substantially. New York’s amendments to their existing focus on consumer protections, expanding the definition of what qualifies as private information and setting a stricter timeline for notifying consumers and government agencies of a data breach, could potentially set a precedent for other states to reconsider their existing consumer data restrictions and breach reporting policies. As laws that dictate consumer laws, privacy, and reporting continue to evolve, Verified Credentials will try to provide updates as they become available.

This article is for informational purposes only and does not constitute legal advice or official predictions of future laws and regulations. Hiring professionals, HR professionals, and administrators should consult their legal counsel to ensure all actions comply with the law. 

Utah Senate Bill 70: Consumer Reporting Amendments Explained

Utah joined the list of states in 2025 that have enacted legislation regulating what information can be reported to organizations requesting...

Read More

Texas Cracks Down on AI with the Responsible Artificial Intelligence Governance Act

The phrase, “don’t mess with Texas,” has taken on a whole new meaning. If you were considering using AI for business in Texas, you might want to hold...

Read More

Minnesota Consumer Data Privacy Act Now in Effect: Details Employers Need to Know

In 2024, we covered both Minnesota’s and Rhode Island’s Data Privacy Acts. While Rhode Island’s law will not go into effect until 2026, Minnesota’s...

Read More

Data Privacy Awareness Continues in the New Year: Nebraska’s Data Privacy Act

2024 was a big year for consumer data privacy laws, with states like Minnesota, Rhode Island,and Montanapassing laws to protect consumer rights and...

Read More

Minnesota Consumer Data Privacy Act Now in Effect: Details Employers Need to Know

In 2024, we covered both Minnesota’s and Rhode Island’s Data Privacy Acts. While Rhode Island’s law will not go into effect until 2026, Minnesota’s...

Read More

Montana’s 2024 Consumer Data Privacy Act

Montana has joined the growing list of consumer data privacy laws enacted throughout the country, creating new guidelines for consumer data privacy. ...

Read More