• New Mexico Enacts Data Breach Notification Act
  • May 8, 2017 | Author: Jason C. Gavejian
  • Law Firm: Jackson Lewis P.C. - Morristown Office
  • New Mexico has become the 48th state to enact a data breach notification law requiring that individuals be notified of security breaches of information involving personal identifying information. Governor Susana Martinez signed HB 15 on April 6, 2017. The new law follows the same general structure of many of the breach notification laws in other states. It will become effective on June 16, 2017.

    The three key components of the Act are:
    • Disposal of Personal Identifying Information (PII);
    • Security Measures for Storage of PII; and
    • Notification of a Security Breach.
    This leaves Alabama and South Dakota as the only states that have not enacted a data breach notification legislation.

    Personal Identifying Information

    Under New Mexico’s Data Breach Notification Act, PII means an individual’s first name or first initial and last name in combination with one or more of the following data elements that relate to the individual, when the data elements are not protected through encryption or redaction or otherwise rendered unreadable or unusable:
    • Social Security number;
    • driver’s license number;
    • government-issued identification number;
    • account number, credit card number, or debit card number in combination with any required security code, access code, or password that would permit access to a person’s financial account; or
    • biometric data.
    Biometric data is defined as “a record generated by automatic measurements of an identified individual’s fingerprints, voice print, iris or retina patterns, facial characteristics or hand geometry that is used to uniquely and durably authenticate an individual’s identity when the individual accesses a physical location, device, system or account.”

    Some states (including Illinois) have implemented or amended their own data breach notification laws to include elements such as biometric data.

    Disposal of PII

    Under the Act, organizations must arrange for the proper disposal of records containing the PII of New Mexico residents when the records are no longer reasonably needed for business purposes. Proper disposal means shredding, erasing, or otherwise modifying the PII contained in the records to be unreadable or undecipherable.

    Security Measures for Storage of PII

    Organizations must implement and maintain - and contractually require their service providers and vendors to implement and maintain - reasonable security procedures and practices to protect the PII they own or license from unauthorized access, destruction, use, modification, or disclosure. Unlike California, New Mexico has not yet provided guidance on what constitutes reasonable security procedures and practices. Nevertheless, all organizations should implement safeguards to protect the personal and company information they maintain.

    Notification of Security Breach

    In the event of a breach, the Act states:
    • Notification must be provided to each New Mexico resident within 45 calendar days following discovery of the breach.
    • If the person maintains or possesses PII of a New Mexico resident (but is not the owner or licensee), notification must be provided to the owner or licensee of the PII within 45 calendar days following discovery of the breach.
    • Notification to each New Mexico residents must include:
      • The name and contact information of the notifying person;
      • A list of the types of PII reasonably believed to have been subject to the breach;
      • The date(s), or estimated dates(s), of the breach;
      • A general description of the breach;
      • The toll-free numbers and addresses of the major consumer reporting agencies;
      • Advice directing the recipient to review account statements and credit reports to detect errors; and
      • Advice informing the recipient of his or her rights pursuant to the federal Fair Credit Reporting Act.
    • In the event of a breach affecting more than 1,000 New Mexico residents, notification must be provided to the New Mexico Attorney General and the major consumer reporting agencies within 45 calendar days following discovery of the breach. Such notice must include a copy of the notification sent to affected residents.
    • Notification may be delayed at the request of law enforcement or as necessary to determine the scope of the breach and restore the integrity, security, and confidentiality of the system.
    • Notification is not required if, after an appropriate investigation, the person determines the breach “does not give rise to a significant risk of identity theft of fraud.” This is known as a risk of harm trigger.
    • The Act does not apply to a person subject to Gramm-Leach-Bliley Act (GLBA) or Health Insurance Portability and Accountability Act (HIPAA).

    Under the Act, the New Mexico Attorney General may bring an action for injunctive relief and award of damages for actual costs or losses, including consequential financial losses. If a violation of the Act is found to be knowing or reckless, a court may impose a civil penalty of the greater of $25,000 or, in the case of failed notification, $10 per instance of failed notification up to a maximum of $150,000.