On April 6, 2017, New Mexico enacted a data breach notification law. The “Data Breach Notification Act” (H.B. 15) will take effect on June 16, 2017. The recent passage of this statute leaves Alabama and South Dakota as the only two remaining states with no law requiring companies to notify individuals of data breaches involving their personally identifiable information. Earlier drafts of the bill had failed to get past the New Mexico Senate Judiciary Committee because of concerns about the $150,000 damages cap and thirty (30) day notification requirement. The bill’s sponsor, Rep. Bill Rehm, stated that he worked closely with the New Mexico business community to make compromises on the bill so that it would pass this time around. The bill that passed this year still contains the damages cap but the previously proposed thirty (30) day notification requirement was replaced with a forty-five (45) day notification requirement.
For the most part, the New Mexico law requires companies to comply with data breach obligations required by a majority of other states. Like a handful of other states, including Illinois and Texas, the law’s definition of Personal Identifying Information (PII) explicitly includes biometric data along with other more commonly included categories of information like social security number, driver’s license number and financial account numbers.
Some important provisions from the New Mexico security breach notification statute:
- Like the majority of states, New Mexico’s statute applies only to “computerized data” and not data in paper or other forms.
- Notifications to New Mexico residents (and to the Attorney General and Consumer Reporting Agencies if over 1,000 residents are affected by a single incident) must be made within forty-five (45) calendar days of discovery of the security breach.
- Entities subject to GLBA or HIPAA are entirely exempted from the provisions of this statute.
- Third-party service providers are also required to notify the data owner or licensor and must comply with the same forty-five (45) calendar day notice requirement.
- However, notification obligations are only triggered if a security breach meets the harm threshold of posing a “significant risk of identity theft or fraud”.
- Civil penalties for knowing or reckless violations of the statute are the greater of $25,000 or in the case of failed notification, $10 per instance of failed notification up to a maximum of $150,000.
- Also, unlike Massachusetts’ and California’s data breach notification laws that outline prescriptive security processes that companies must follow, New Mexico’s new law generally gives businesses a lot of discretion in determining how to best protect PII. However, one area in which the New Mexico law is very specific is the requirement that businesses disclosing PII to third-party vendors contractually require such vendors to implement and maintain reasonable security procedures and practices.
The fragmented landscape of state data breach notification laws will only get more complex as states continue to amend current legislation, making compliance with state data breach notification laws increasingly difficult for businesses. Companies wanting to remain compliant with such laws across multiple jurisdictions will now have to contend with the laws of 48 states and 3 territories. Calls for a federal data breach notification requirement that would allow companies to follow one set of rules have received pushback from consumer advocates who fear a superseding federal law might weaken the data breach notification laws of states with heightened requirements.