Bill > S00804

This bill amends existing data breach notification requirements by clarifying when and how entities must report breaches to the Department of Financial Services (DFS). Specifically, the bill limits notification to DFS only for "covered entities" as defined in 23 NYCRR 500.1, which typically refers to financial institutions and organizations handling sensitive financial information. The bill requires these covered entities to provide breach notifications to DFS in strict compliance with 23 NYCRR 500.17, which outlines specific protocols for reporting cybersecurity events. Importantly, this new requirement does not delay the primary obligation of notifying affected New York residents about the data breach. The bill also maintains the existing requirement that entities notify multiple state agencies, including the state attorney general, department of state, and division of state police, about the timing, content, distribution, and approximate number of people impacted by a data breach. The bill is designed to be implemented concurrently with related legislative bills (S. 2659-B and A. 8872-A) that address data breach notifications.

Housing and Urban Affairs

https://www.nysenate.gov/legislation/bills/2025/S804