Bill > A00913

This bill amends the New York general business law to clarify the requirements for notifying state authorities about data breaches. Specifically, the bill modifies the existing notification process by specifying that notice to the Department of Financial Services (DFS) is only required for "covered entities" as defined in the DFS cybersecurity regulation (23 NYCRR 500.1). When a data breach occurs affecting New York residents, the organization must still notify multiple state agencies including the attorney general, department of state, and state police about the timing, content, and distribution of breach notifications, as well as provide an approximate number of affected individuals. However, the notice to DFS must now be submitted in strict compliance with 23 NYCRR 500.17, which contains specific technical requirements for cybersecurity incident reporting. Importantly, these additional notification requirements cannot delay the primary notification to affected New York residents. The bill is set to take effect simultaneously with a related legislative package concerning data breach notifications.

Business and Industry, Housing and Urban Affairs

https://www.nysenate.gov/legislation/bills/2025/A913