On February 14, the Governor of New York signed into law SB 804 (the “Act”), which amends the general business law concerning when and how notifications for data breaches are provided to the New York Department of Financial Services (NYDFS). Specifically, the Act requires New York residents to be notified of a data breach, and the responsible person must inform the state’s Attorney General, the state’s Department of State, the Division of State Police, and the NYDFS about the timing, content, distribution of the notices, and the approximate number of affected individuals.

Additionally, a copy of the notice template sent to affected persons must be provided. However, notification to the NYDFS is mandated only if the entity is a covered entity as defined in 23 NYCRR 500.1. Notice to the NYDFS must comply with 23 NYCRR 500.17, which requires 72-hour notice from when a cybersecurity event occurred. According to the Act, notification of the various state entities should not delay informing affected New York residents. The Act is set to take effect concurrently with a related chapter of the laws of 2024, which also addresses data breach notification procedures.