On April 6, 2017, New Mexico became the 48th state to enact a data breach notification law, leaving Alabama and South Dakota as the two remaining states without such requirements. The Data Breach Notification Act (H.B. 15) goes into effect on July 1, 2017.

Key Provisions of New Mexico’s Data Breach Notification Act:

  • The definition of “personal identifying information” includes biometric data, defined as an individual’s “fingerprints, voice print, iris or retina patterns, facial characteristics or hand geometry that is used to uniquely and durably authenticate an individual’s identity when the individual accesses a physical location, device, system or account.”
  • The law applies to unencrypted computerized data or encrypted computerized data when the encryption key or code is also compromised.
  • Notice to the New Mexico Office of the Attorney General and the major consumer reporting agencies is required if more than 1,000 New Mexico residents are notified.
  • Notice must be made to New Mexico residents (and the Attorney General and Consumer Reporting agencies if over 1,000 residents are notified) within 45 calendar days of discovery of a security breach.
    • Third-party service providers are also required to notify the data owner or licensor within 45 days of discovery of a data breach.
  • Notification is not required if, after an appropriate investigation, it is determined that the security breach does not give rise to a significant risk of identity theft or fraud.
  • Entities that are subject to the Gramm-Leach Bliley Act or HIPAA are exempt from the statute.
  • The law also contains a data disposal provision that requires data owners or licensors to shred, erase or otherwise make unreadable personal identifying information contained in records when it is no longer “reasonably needed” for business purposes.
  • In addition, the law requires data owners and licensors to implement and maintain reasonable security procedures and practices designed to protect the personal identifying information from unauthorized access, destruction, use, modification or disclosure.
    • Contracts with third-party service providers must require that the service provider implement and maintain such security procedures and practices.