S.2540 (Comrie)


Director, Government Affairs


S.2540 (Comrie)


Business Notifications of a Data Breach



The Business Council of New York State, the state’s leading statewide employer association, opposes this legislation that would amend the General Business Law in relation to mandatory notifications of a data breach.

This bill would change the time frame for notification of consumers by businesses who have experienced cyber breaches of “private information.” 

Under current law, businesses who own or license computerized data which includes private information are required to notify New York State residents in “the most expedient time possible and without unreasonable delay consistent with the legitimate needs of law enforcement.” 

This legislation would change the standard to 15 days. 

While this may appear to expedite the process of notification by establishing a fixed, if arbitrary, time frame, it poses a number of problems. Most importantly, a 15 day notification may force companies to prematurely notify those whose personal information was suspected of being breached, before a thorough investigation can determine if such a breach took place. As a result, this bill could require the irresponsible mandate to notify persons whose information is only suspected of having been compromised but, upon a full investigation, proves false. As a result, the short time frame may not be beneficial to consumers but rather a meaningless cause for alarm. 

Under regulations already enforced by the Department of Financial Services (DFS), companies in New York State must already notify DFS of breaches within 72 hours. After that initial notification, companies undertake extensive diagnostic and forensic investigations of their systems and the information suspected of being breached. In conjunction with law enforcement, consumers are notified at the earliest possible time. 

It should be noted that many States which require notification do not have time frames as limiting as the one proposed under this bill. In fact, many States currently utilize similar language that this bill seeks to replace – “most expedient time possible.”   

In summary, we find this legislation to be both unnecessary and counterproductive.  

For the above reasons, The Business Council opposes this legislation.