On March 15, the New Mexico Legislature passed the “Data Breach Notification Act,” which has been transmitted to Governor Susana Martinez. If enacted, New Mexico will become the forty-eighth state with a data notification law, leaving only South Dakota and Alabama without such laws. The Act requires individuals to be notified should their personal information be involved in a security breach, and also states that consumer reporting agencies, the attorney general’s office and card processors in certain circumstances must be notified as well. The timeframe for individual notice is “in the most expedient time possible,” but no later than 30 calendar days after the discovery of the security breach unless delayed reporting is appropriate due to a law enforcement investigation or out of necessity to determine the scope of the breach. The Act defines a “security breach” as the unauthorized acquisition of computerized data that compromises the security or integrity of personally identifying information. A person who owns or licenses personally identifying information must “implement and maintain reasonable security procedures and practices appropriate for the nature of the information.” The Act requires the “proper disposal” of records containing personal identifying information of a New Mexico resident when such records are no longer reasonably needed for business purposes. Proper disposal means shredding, erasing or otherwise modifying the personal identifying information contained in the records to make the personal identifying information unreadable or undecipherable. The Act does not account for medical information or health insurance data. The legislation also specified that it “shall not apply to a person subject to the federal Gramm-Leach-Bliley Act or the federal Health Insurance Portability and Accountability Act of 1996.” “Personal identifying information” includes an individual’s first name or first initial and last name in combination with one or more of the following: • Social Security number• Driver’s license number• Government-issued identification number• Account number, credit card number or debit card number in combination with any required security code, access code or password that would permit access to a person’s financial account• Unique biometric data, including the person’s fingerprint, voiceprint or retina or iris image. The definitional inclusion of biometric data is especially significant, as states are recognizing the growing prevalence of biometric identifiers in transactions. While affording no individual private cause of action, the Act authorizes the attorney general to bring an action on behalf of affected individuals. Businesses or organizations violating the Act may face a civil penalty up to $25,000 or, in the case of failed notification, $10 per instance of failed notification, up to a maximum of $150,000.
- How-to guide How-to guide: How to determine and apply relevant US privacy laws to your organization (USA)
- How-to guide How-to guide: Incident response plan readiness and identification of a reportable data breach (USA)
- Checklist Checklist: Complying with cookie requirements under the ePrivacy Directive and the GDPR (EU) Recently updated