Last week, the New Mexico Legislature passed The Data Breach Notification Act (“Act”). Once the Act is signed by Governor Susana Martinez, New Mexico will join 47 other U.S. states (along with D.C., Guam, Puerto Rico, and the Virgin Islands) who have enacted a data breach notification law, leaving South Dakota and Alabama as the two hold-out states without a breach notification law.

In most material respects, this legislation tracks the common provisions of other states’ breach notification laws. A few notable points: notification of a data breach would be required, within 45 days of discovery, to New Mexico residents if their personal information is breached. Personal information is defined as an individual’s first name or first initial and last name, in combination with their social security number, driver’s license number, government issued identification number, unique biometric data, or financial account information and the required access code/password. If more than 1,000 residents are affected, the data holder must also notify the New Mexico Office of the Attorney General within this same timeframe. Notice is not required if the data holder determines the breach does not give rise to a significant risk of identity theft or fraud. The law provides for civil penalties for knowing or reckless violations.

Other notable provisions:

  • Disposal of Records Containing PII Requirement. Data holders must arrange for secure disposal of records containing personal identifying information (“PII”) when records are no longer needed for business purposes.
  • Security Measures for Storage of PII Requirement. Data holders must implement and maintain reasonable security procedures and practices to protect PII from unauthorized access, destruction, use, modification or disclosure.
  • Service Provider Security Measures Agreed to by Contract Requirement. Service provider data processing contracts concerning PII must have provisions requiring service providers to:
    • implement and maintain reasonable security procedures and practices and
    • protect PII from unauthorized access, destruction, use, modification or disclosure.

The legislation exempts data holders subject to the Health Insurance Portability and Accountability Act or the Gramm-Leach-Bliley Act.