New Mexico Enacts Data Breach Notification Act (Updated)

Jason Gavejian
Jackson Lewis P.C.
Contact
LinkedIn
Facebook
X
Send
Embed

New Mexico has become the 48th state to enact a data breach notification law requiring that individuals be notified of security breaches of information involving personal identifying information. Governor Susana Martinez signed HB 15 on April 6, 2017. The new law follows the same general structure of many of the breach notification laws in other states. It will become effective on June 16, 2017.

The three key components of the Act are:

  • Disposal of Personal Identifying Information (PII);
  • Security Measures for Storage of PII; and
  • Notification of a Security Breach.

This leaves Alabama and South Dakota as the only states that have not enacted a data breach notification legislation.

Personal Identifying Information

Under New Mexico’s Data Breach Notification Act, PII means an individual’s first name or first initial and last name in combination with one or more of the following data elements that relate to the individual, when the data elements are not protected through encryption or redaction or otherwise rendered unreadable or unusable:

  • Social Security number;
  • driver’s license number;
  • government-issued identification number;
  • account number, credit card number, or debit card number in combination with any required security code, access code, or password that would permit access to a person’s financial account; or
  • biometric data.

Biometric data is defined as “a record generated by automatic measurements of an identified individual’s fingerprints, voice print, iris or retina patterns, facial characteristics or hand geometry that is used to uniquely and durably authenticate an individual’s identity when the individual accesses a physical location, device, system or account.”

Some states (including Illinois) have implemented or amended their own data breach notification laws to include elements such as biometric data.

Disposal of PII

Under the Act, organizations must arrange for the proper disposal of records containing the PII of New Mexico residents when the records are no longer reasonably needed for business purposes. Proper disposal means shredding, erasing, or otherwise modifying the PII contained in the records to be unreadable or undecipherable.

Security Measures for Storage of PII

Organizations must implement and maintain — and contractually require their service providers and vendors to implement and maintain — reasonable security procedures and practices to protect the PII they own or license from unauthorized access, destruction, use, modification, or disclosure. Unlike California, New Mexico has not yet provided guidance on what constitutes reasonable security procedures and practices. Nevertheless, all organizations should implement safeguards to protect the personal and company information they maintain.

Notification of Security Breach

In the event of a breach, the Act states:

  • Notification must be provided to each New Mexico resident within 45 calendar days following discovery of the breach.
  • If the person maintains or possesses PII of a New Mexico resident (but is not the owner or licensee), notification must be provided to the owner or licensee of the PII within 45 calendar days following discovery of the breach.
  • Notification to each New Mexico residents must include:
    • The name and contact information of the notifying person;
    • A list of the types of PII reasonably believed to have been subject to the breach;
    • The date(s), or estimated dates(s), of the breach;
    • A general description of the breach;
    • The toll-free numbers and addresses of the major consumer reporting agencies;
    • Advice directing the recipient to review account statements and credit reports to detect errors; and
    • Advice informing the recipient of his or her rights pursuant to the federal Fair Credit Reporting Act.
  • In the event of a breach affecting more than 1,000 New Mexico residents, notification must be provided to the New Mexico Attorney General and the major consumer reporting agencies within 45 calendar days following discovery of the breach. Such notice must include a copy of the notification sent to affected residents.
  • Notification may be delayed at the request of law enforcement or as necessary to determine the scope of the breach and restore the integrity, security, and confidentiality of the system.
  • Notification is not required if, after an appropriate investigation, the person determines the breach “does not give rise to a significant risk of identity theft of fraud.” This is known as a risk of harm trigger.
  • The Act does not apply to a person subject to Gramm-Leach-Bliley Act (GLBA) or Health Insurance Portability and Accountability Act (HIPAA).

Enforcement

Under the Act, the New Mexico Attorney General may bring an action for injunctive relief and award of damages for actual costs or losses, including consequential financial losses. If a violation of the Act is found to be knowing or reckless, a court may impose a civil penalty of the greater of $25,000 or, in the case of failed notification, $10 per instance of failed notification up to a maximum of $150,000.

***

Breach notification laws continue to evolve. It is imperative for organizations to be prepared to respond appropriately.

 

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Jackson Lewis P.C. | Attorney Advertising

Written by:

Jackson Lewis P.C.
Jackson Lewis P.C.
Contact
more
less

Jackson Lewis P.C. on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide