A New Member in the Big Club – New Mexico Becomes the 48th State with a Breach Notification Law (+ Disposal and Service Provider Requirements)

Locke Lord LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Effective June 16, 2017, New Mexico will join 47 other states (as well as the District of Columbia, Guam, Puerto Rico, and the Virgin Islands) by imposing breach notification requirements on entities experiencing information security breaches impacting the state’s residents. Recently-passed House Bill 15 will impose significant new requirements on businesses in New Mexico, and add new considerations for any businesses dealing with New Mexico residents when responding to an incident.

The new law is largely in line with the laws of other states, requiring notification following the unauthorized acquisition of unencrypted personal data, or encrypted personal data along with a process or key to decrypt the data. Certain elements of the law that are not common among all states are particularly noteworthy when responding to an incident:

  • notifications generally must be provided in the most expedient time possible and not more than 45 days following discovery of a breach;
  • biometric data is included in the definition of personal information types that (along with name) can trigger a breach notification requirement;
  • specific requirements are imposed for the content of notifications (including, without limitation, disclosure of data types subject to the incident, date or estimated date of the incident, a description of the incident, contact information for the entity experiencing the incident, toll free numbers for the major consumer reporting agencies, advice to review account statements and credit reports, and advice informing recipients of their rights under the federal Fair Credit Reporting Act); and
  • the major consumer reporting agencies and the state’s attorney general must be notified if notices are provided to more than 1,000 New Mexico residents in connection with one incident.

In addition to imposing breach notification requirements, HB 15 imposes several basic information security requirements, including:

  • implementation and maintenance of reasonable security procedures and practices appropriate to the nature of the information to protect the personal identifying information from unauthorized access, destruction, use, modification or disclosure;
  • contractual provisions requiring service providers to maintain appropriate procedures and practices to protect personal information disclosed in the course of a service provider engagement; and
  • proper disposal of personal identifying information when no longer reasonably needed for a business purpose. (“Proper disposal” is defined as “shredding, erasing or otherwise modifying the personal identifying information contained in the records to make the personal identifying information unreadable or undecipherable.”)

Following the passage of HB 15, organizations in New Mexico or dealing with information relating to New Mexico residents should be aware of the state’s new data breach requirements to ensure that responses are handled appropriately, and in a timely manner. Those organizations should also review day-to-day practices to make sure that appropriate disposal and service-provider-engagement practices are in place.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Locke Lord LLP | Attorney Advertising

Written by:

Locke Lord LLP
Locke Lord LLP
Contact
more
less

Locke Lord LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide