In 2025, two states made particularly important amendments to their cybersecurity and data breach notification laws: New York and Oklahoma. These changes highlight broader national trends that organizations should keep in mind as additional state privacy laws take effect in 2026.
New York: Expanded definition of “personal information” and Notification Deadline
Medical and health insurance information
New York significantly broadened its data breach notification law for 2025 by adding “medical information” and “health insurance information” to the definition of personal information, under General Business Law § 899-aa. This expansion has meaningful consequences. Importantly, the statute does not include a HIPAA exemption. HIPAA does not preempt state laws that are more protective than federal requirements. As a result, these New York requirements apply not only to non-healthcare businesses, but also to:
New 30-Day Notification Deadline
- Healthcare providers
- Health insurance companies; and
- Employer-sponsored health plans.
New 30-Day Notification Deadline
New York also added a 30-day deadline to notify affected individuals following a data breach. Previously, the statute required notification only as “expediently as possible and without unreasonable delay,” leaving room for interpretation. The new deadline removes that ambiguity and places added pressure on incident response teams to investigate, assess scope, and prepare notices quickly.
Oklahoma: Modernized Breach Law for Emerging Data Risks
Oklahoma’s lawmakers also made notable amendments to its data breach notification statute in the past year, bringing it more in line with modern cybersecurity realities.
Expanded Categories of Personal Information
Oklahoma expanded its definition of “personal information” to include:
New Attorney General Notification Requirement
Like many states, Oklahoma now requires organizations to notify the state Attorney General when a breach affects more than a certain number of residents (in this case 500). Deadline: Notice must be provided to the Attorney General within 60 days. This change ensures state authorities have visibility into large-scale incidents.
Clarifying the Encryption Safe Harbor
Many state breach laws do not treat encrypted data as “breached” unless the encryption keys are also compromised. Oklahoma has formally adopted this approach. Under the amended law, encrypted data triggers breach notification obligations only if the encryption keys are accessed or obtained as well. This aligns Oklahoma with the majority of states and reinforces the importance of strong encryption and key-management practices.
A New Safe Harbor
In 2023, Oklahoma created an affirmative defense to tort claims if the breached entity has a cybersecurity program that meets certain criteria. Starting in January 2026, it has added a further safe harbor against statutory civil penalties, which cuts the penalty in half (from $150K to $75K) if the entity has “reasonable safeguards” and gives notice as required by the statute.
Oklahoma’s reasonable safeguards include risk assessments, technical and layered defenses, employee training and incident response plan.New Small Business Safe Harbor in Texax
- Biometric identifiers, such as fingerprints or other biometric data used for identification or authentication; and
- Unique identifiers associated with a financial account, when combined with a required security code, password, or passcode
New Attorney General Notification Requirement
Like many states, Oklahoma now requires organizations to notify the state Attorney General when a breach affects more than a certain number of residents (in this case 500). Deadline: Notice must be provided to the Attorney General within 60 days. This change ensures state authorities have visibility into large-scale incidents.
Clarifying the Encryption Safe Harbor
Many state breach laws do not treat encrypted data as “breached” unless the encryption keys are also compromised. Oklahoma has formally adopted this approach. Under the amended law, encrypted data triggers breach notification obligations only if the encryption keys are accessed or obtained as well. This aligns Oklahoma with the majority of states and reinforces the importance of strong encryption and key-management practices.
A New Safe Harbor
In 2023, Oklahoma created an affirmative defense to tort claims if the breached entity has a cybersecurity program that meets certain criteria. Starting in January 2026, it has added a further safe harbor against statutory civil penalties, which cuts the penalty in half (from $150K to $75K) if the entity has “reasonable safeguards” and gives notice as required by the statute.
Oklahoma’s reasonable safeguards include risk assessments, technical and layered defenses, employee training and incident response plan.
New Small Business Safe Harbor in Texax
Everything’s bigger in Texas, except this: A new safe harbor from punitive damages in a cybersecurity lawsuit applies only for businesses with fewer than 250 employees. In order to take advantage of it, a company must adopt a recognized cybersecurity framework like NIST or ISO.
These safe harbors are in addition to other states that have safe harbors already: Ohio (Safe harbor from tort claims if a recognized cybersecurity framework is used, e.g., NIST, 2018); Connecticut (defense against punitive damages, 2021); Tennessee (safe harbor from class actions (May 2024); and Utah (2021). On a side note: Tennessee is the only state I’m aware of with safe harbors for privacy and cybersecurity claims. Tennessee has a safe harbor against a cybersecurity class actions as long as the incident was not caused by willful/wanton conduct or gross negligence. Tennessee also has a safe harbor against privacy violations if the entity has adopted and implemented the NIST privacy framework.
These safe harbors are in addition to other states that have safe harbors already: Ohio (Safe harbor from tort claims if a recognized cybersecurity framework is used, e.g., NIST, 2018); Connecticut (defense against punitive damages, 2021); Tennessee (safe harbor from class actions (May 2024); and Utah (2021). On a side note: Tennessee is the only state I’m aware of with safe harbors for privacy and cybersecurity claims. Tennessee has a safe harbor against a cybersecurity class actions as long as the incident was not caused by willful/wanton conduct or gross negligence. Tennessee also has a safe harbor against privacy violations if the entity has adopted and implemented the NIST privacy framework.
Broader Trends and Looking Ahead to 2026
These amendments underscore several nationwide trends:
Looking ahead to 2026, several states will implement comprehensive data protection laws that go beyond breach notification and regulate how personal data is collected, used, shared, and retained. Together with ongoing amendments to breach statutes, this means organizations must track not only new laws, but also incremental changes to existing ones.
- States are expanding what counts as protected personal information, especially health data, biometrics, and digital identifiers.
- Legislatures continue to move away from flexible standards toward clear notification deadlines.
- Attorney General notification requirements are becoming more ubiquitous.
- Encryption remains a critical safeguard — but only if keys are properly protected.
Looking ahead to 2026, several states will implement comprehensive data protection laws that go beyond breach notification and regulate how personal data is collected, used, shared, and retained. Together with ongoing amendments to breach statutes, this means organizations must track not only new laws, but also incremental changes to existing ones.
