On March 16, 2017, the New Mexico legislature passed the Data Breach Notification Act (HB 15), which is now on the desk of Governor Susana Martinez awaiting signature. Governor Martinez has until April 7, 2017 to sign HB 15 into law. If Governor Martinez signs the bill, New Mexico becomes the 48th state to adopt a data breach notification law — leaving Alabama and South Dakota as the only two remaining states without a state data breach notification law.
How New Mexico’s Breach Notification Law Differs From Other States’ Laws
While New Mexico’s data breach law is similar to other state data breach notification laws, it does depart in a couple of notable respects. First, New Mexico deviates from what is largely the statutory norm by requiring a strict timeline for notification: “[n]otification shall be made in the most expedient time possible, but not later than forty-five calendar days following discovery of the security breach.” HB 15, Sections 6(A) and (C). A small number of other states have the same 45-day deadline and only Florida has a stricter deadline – requiring notice within 30 days but permitting a 15 day extension for good cause. The New Mexico Data Breach Notification Act does provide, however, that notice may be delayed: (a) if a law enforcement agency determines that notification will impede a criminal investigation; or (b) as necessary to determine the scope of the breach and restore the integrity, security and confidentiality of the data system. HB 15, Section 9 (A) and (B).
New Mexico’s statute is also somewhat narrower than most in that it defines a “security breach” as the “unauthorized acquisition of unencrypted computerized data.” HB 15, Section 2(D). This is a departure from some of the other state data breach laws which are broader in that they can be triggered by either acquisition or access, and some of which arguably cover computerized or paper records.
New Mexico Also Addresses Proper Disposal of PII
Entities should be aware that New Mexico’s statute includes requirements concerning the security and proper disposal of personally identifiable information (“PII”). For example, entities that maintain PII must maintain, or require their contractors/vendors to maintain, reasonable security procedures and practices appropriate to the nature of the specific PII to protect against unauthorized access, destruction, use, modification, or disclosure. The New Mexico statute requires that if an entity discloses PII to a service provider, the entity shall require the service provider by contract to implement and maintain reasonable security procedures and practices appropriate to the nature of the PII. HB 15, Section 4. Likewise, entities that own or license records containing PII are obligated to arrange for shredding, erasing, or otherwise modifying the PII to make the information unreadable or undecipherable. HB 15, Section 3.
New Mexico also deviates from the majority of other states in that in circumstances in which substitute notice is permitted under the act, New Mexico requires the entity that discloses the breach must also provide notification to the New Mexico State Attorney General.
In most other respects, the New Mexico Data Breach Notification Act is similar to various other state notification laws. The following are some of the other key provisions:
There is an exception to the notification requirement if, after an appropriate investigation, it is determined that the security breach does not give rise to a significant risk of identity theft or fraud. HB 15, Section 6 (A) and (C).
Personal Identifying Information is defined as: an individual’s first name or initial and last name in combination with one or more of: social security number, driver’s license number, government-issued identification number; account number, credit card number or debit card number in combination with a security code or password; or biometric data. HB 15, Section 2(C).
The notification must include specific content, including the types of PII subject to the security breach, the name and contact information of the notifying person, the date or estimated date of the breach, a general description of the breach incident, the toll-free telephone numbers and addresses of the major credit reporting agencies, advice that directs the recipient to review personal account statements and credit reports to detect errors resulting from the security breach, and advice that informs the recipient of their rights under the Fair Credit Reporting and Identity Security Act. HB 15, Section 7.
If the breach affects more than 1,000 New Mexico residents, notice must be provided to the New Mexico State Attorney General as well as the three major credit bureaus. HB 15, Section 10.
Entities subject to the Gramm-Leach-Bliley Act or HIPAA are exempt from the New Mexico Data Breach Notification Act. HB 15, Section 8.