New York State recently announced a settlement with financial technology and online financial services provider PayPal, Inc, over what the state called PayPal’s inadequate training processes for key personnel in handling sensitive customer information.

The state has also updated its breach notification law to revise its timing and notice provisions and expand the scope of what constitutes “private information.”

And, last but not least, a new bill is poised to be signed into law: The New York Health Information Privacy Act. This takes a major step forward in protecting personal health data by making it illegal for certain entities to sell an individual’s regulated health information without explicit consent.

NYDFS settles with PayPal

New York State Department of Financial Services (NYDFS) Superintendent Adrienne Harris today recently announced that PayPal, Inc will pay a $2m penalty to New York State for violations of NYDFS’s Part 500 Cybersecurity Regulation. An investigation determined PayPal failed to use qualified personnel to manage key cybersecurity functions and failed to provide adequate training to address cybersecurity risks. These failures led to sensitive customer information, including social security numbers (SSNs), being left unredacted and easily accessible to cybercriminals, the agency said.

NYDFS alleged that customer data was exposed after PayPal implemented changes to existing data flows to make IRS Form 1099-Ks available to more of its customers. However, the teams tasked with implementing these changes were not trained on PayPal’s systems and application development processes.

As a result, they failed to follow proper procedures before the changes went live. This allowed cybercriminals to leverage compromised credentials to access Form 1099-Ks, which included sensitive customer data, including SSNs.  

The agency said its investigation also revealed that PayPal failed to implement and maintain written policies that address access controls, identity management, and customer data, and failed to use effective controls to protect against unauthorized access to Nonpublic Information or Information Systems. Notably, the company did not require customers to use multifactor authentication or use controls such as CAPTCHA or rate limiting to help prevent unauthorized access.

NYDFS said PayPal has since remediated these issues and improved its cybersecurity practices.  

NY data breach notification

New York Governor Kathy Hochul recently signed into law two bills (S2659B and S2376B) to modify and enhance the state’s data breach notification law.

The amendments revise the timing requirements for notice to affected individuals, expand the list of regulators to be notified of the breaches, and add new data elements to New York’s definition of “private information.”

Timing: The amendments change the required notification to affected New York residents from “in the most expedient time possible and without unreasonable delay” to “no later than 30 days after discovery of the breach, except for the legitimate needs of law enforcement.” This change was effective December 21, 2024.

Additional regulator notice: The law now requires notice to the NYDFS instead of just to the New York State Attorney General, the New York Department of State, and the Division of State Police. This was also effective on December 21.

Definition of ‘private information‘: As of March 25, 2025, the definition of “private information” subject to the law’s notification requirements will include:

• medical information (for example, any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional); and
• health insurance information (for example, an individual’s health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual or any information in an individual’s application and claims history, including, but not limited to, appeals history).

In line with the law’s Health Insurance Portability Accountability Act (HIPAA) exemption, a breach of protected health information would not trigger additional notification requirements to affected individuals. However, the law still requires notice to certain regulators, including the New York State Attorney General, the New York Department of State, and the Division of State Police. 

New York Health Information Privacy Act

The recently proposed New York Health Information Privacy Act (NYHIPA), Senate Bill S929, awaits Governor Hochul’s signature, and it seeks to make a major enhancement to the state’s approach to protecting personal health data in the digital age.

The bill aims to establish stronger privacy protections and restrict health-related data being used or sold without explicit user consent. Supporters see it as a necessary evolution of data privacy laws, addressing gaps in federal regulations such as the HIPAA and responding to growing consumer concerns.

New York’s legislation is notable for broadly defining what constitutes “regulated health information.” Unlike HIPAA, which primarily governs hospitals, insurers, and healthcare providers, NYHIPA extends its scope to include any company that collects health-related data from New York residents. This means that digital health apps, wellness platforms, and employers offering health benefits could be subject to its requirements.

Unlike other state privacy laws that largely apply solely to residents of that state, NYHIPA imposes significant burdens on companies located in New York because it applies to the covered health information they process, regardless of whether the individual is located in or outside of New York.

NYHIPA will take effect one year after the governor signs it into law.