Then there were two.
On March 16, 2017, the New Mexico state legislature passed a bill requiring that New Mexico residents be notified if their “personal identifying information” was affected by a breach of electronic data. Upon signature of the bill, New Mexico will join 47 other states requiring such notification, and the only states remaining without notification laws will be Alabama and South Dakota.
The New Mexico law is similar to many other state data breach notification laws. Here are some of the bill’s particulars.
As in some other states (including California and Texas), the bill also contains a data protection provision requiring reasonable security procedures to protect personal identifying information. While not as detailed or onerous as the law in Massachusetts (which requires, among other things, specific elements of a security program, including encryption where possible), the passed bill states
[a] person that owns or licenses personal identifying information of a New Mexico resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal identifying information from unauthorized access, destruction, use, modification or disclosure.
In addition, when personal identifying information of a New Mexico resident is disclosed to a service provider by contract, the contract must require that the “service provider implement and maintain reasonable security procedures and practices appropriate to the nature of the personal identifying information and to protect it from unauthorized access, destruction, use, modification or disclosure.”
Now we play the waiting game for either state No. 49 to throw its hat into the notification ring or the federal government to pass a law that would unify notification obligations across all states.
I’m not holding my breath for the latter.