While there is no federal law requiring companies to notify individuals of data breaches, South Dakota and Alabama will be the only states without data breach legislation if Gov. Susana Martinez signs New Mexico’s H.B. 15, which the state legislature passed March 16. While the bill itself applies only to New Mexico residents, passage of H.B. 15—to be known as the “Data Breach Notification Act”—could put additional pressure on the United States Congress to draft federal legislation for data breach notification, so companies can base compliance on a single standard rather than a patchwork of state laws. In either case, it adds additional requirements to that patchwork.
New Mexico’s Data Breach Notification Act, as passed by both houses of the state legislature, imposes several requirements on any “person”1 who “owns or licenses records containing personal identifying information of a New Mexico resident.” Those requirements include “proper disposal” of records containing personal identifying information when those records are “no longer reasonably needed for business purposes”; “implement[ing] and maintain[ing] reasonable security procedures and practices appropriate to the nature of the information” and requiring any retained services providers to do the same; breach notification “in the most expedient time possible, but not later than thirty calendar days following discovery of the security breach”; though notification is not required where, “after an appropriate investigation, the person determines that the security breach does not give rise to a significant risk of identity theft or fraud.”
Additionally, in the event that more than 1,000 New Mexico residents are affected by a breach, the covered entity must notify both the attorney general and “major consumer reporting agencies” no later than 30 days after the breach. Further, where a security breach involves a credit or debit card number, the New Mexico legislation mandates providing notice to “each merchant services provider to which the person transmitted the credit card number or debit card number” within 10 days of the data breach discovery. Nodding to existing federal data breach laws, the New Mexico legislation exempts from its notice-requirements those subject to the Gramm-Leach-Bliley Act or the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).
Although the New Mexico legislation does not provide for a private right of action, it does permit the state attorney general to bring an action on behalf of affected individuals, where “the attorney general has a reasonable belief that a violation of the Data Breach Notification Act has occurred.” In such suits, a court may award as relief “damages for actual costs or losses, including consequential financial losses,” or may issue an injunction. Upon a finding that a violation of the Act was knowing or reckless, a court may also impose a civil penalty of $25,000 or, in the case of failed notification, $10 per instance of failed notification up to a maximum of $150,000.
If Gov. Martinez signs H.B. 15, South Dakota will be the final holdout, as Alabama’s legislature recently introduced the Alabama Information Protection Act of 2016 (S.B. 238), which is similar to New Mexico’s H.B. 15, although the Alabama bill requires a breach to impact 1,000 Alabama residents before covered entities are required to act.
N.B. Pursuant to N.M. STAT. ANN. § 12-2A-3, “person” means “an individual, corporation, business trust, estate, trust, partnership, limited liability company, association, joint venture or any legal or commercial entity.