New Mexico and its New Data Breach Notification Law

Montserrat Miller
Arnall Golden Gregory LLP
Contact
LinkedIn
Facebook
X
Send
Embed

We are almost to a point where all 50 states and the District of Columbia will have some form of data breach notification law on their books to protect residents’ personally identifying information (PII) in the event of a data breach.  The three holdout states are Alabama, New Mexico and South Dakota.  But that’s about to change in New Mexico.  The state legislature recently passed the Data Breach Notification Act (H.B. 15) and the legislation is awaiting Governor Susana Martinez’s signature.

Some highlights of the legislation:

  • A “security breach” is defined as the “unauthorized acquisition of unencrypted computerized data, or of encrypted computerized data and the confidential process or key used to decrypt the encrypted computerized data, that compromises the security, confidentiality or integrity of personal identifying information maintained by a person.”
  • It requires the proper disposal of PII when records containing such are “no longer reasonably needed for business purposes.”
  • It requires that any person that owns or maintains PII of New Mexico residents must “implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal identifying information from unauthorized access, destruction, use, modification or disclosure.”
  • In the event of a security breach, notification must be provided within 45 days.  However, New Mexico will be a “risk of harm” state, meaning that notice will not be required if the incident does not “give rise to a significant risk of identity theft or fraud.”
  • The notification letter must include specific content, including (but not limited to) the types of PII compromised, date of the breach, a general description of the breach, contact information for the three major credit bureaus, and “advice that directs the recipient to review personal account statements and credit reports, as applicable, to detect errors resulting from the security breach.”
  • Notice is required to be provided to the state attorney general and the three major credit bureaus if the breach affects more than 1,000 New Mexico residents.
Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Arnall Golden Gregory LLP | Attorney Advertising

Written by:

Arnall Golden Gregory LLP
Arnall Golden Gregory LLP
Contact
more
less

Arnall Golden Gregory LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide