New Mexico has followed other U.S. states in enacting data breach notification laws coming into effect on 16 June 2017. The statute will only apply to computerised data, which is narrower in scope compared to Australian laws that also apply to physical records.

The key provisions from the new data breach laws include:

  • Companies must notify New Mexico residents, the Attorney General and Consumer Reporting Agencies as appropriate within 45 days of discovery of data breaches that pose “a significant risk of identity theft or fraud”;
  • Companies that disclose Personal Identifying Information to third party vendors must contractually require the vendors to implement and maintain reasonable security procedures; and
  • Civil penalties of $10 per instance of failed notification up to a maximum of $150,000.

There are concerns that this adds another layer of complexity for companies trying to remain compliant, as they will now have to comply with data breach notification laws of 48 states and 3 territories. We think that there may be a big push for a unified federal law on this issue in the near future.