New Mexico, one of the last holdouts in the move to state data breach notification requirements, has enacted its own data breach notification law, which will take effect on June 16, 2017 (i.e., 90 days after the adjournment of the New Mexico Legislature on March 18, 2017). Governor Susana Martinez signed the “Data Breach Notification Act” (H.B. 15) into law on April 6, 2017, making New Mexico the 48th state to require companies to notify individuals of data breaches involving their personally identifiable information.
The New Mexico law generally conforms to the data breach notification laws of other states. The law requires companies to notify affected individuals “in the most expedient time possible,” but not later than 45 days after discovering the security breach, unless the breach “does not give rise to a significant risk of identity theft.” If the data breach involves more than 1,000 New Mexico residents, in addition to notifying the affected individuals, companies must also notify the state attorney general and the major consumer reporting agencies “in the most expedient time possible,” but not later than 45 days following discovery of the breach. The law also requires that specific content be included in the breach notification to individuals.
The law deviates in a few ways from what is typically required by state data breach notification laws. For example, a service provider that processes data on behalf of a data owner must notify the owner of a breach “in the most expedient time possible,” but not later than 45 days following discovery of the breach. In contrast, most states require service providers to notify data owners “immediately,” and Florida and Georgia require notification by service providers within 10 days and 24 hours, respectively. The law also defines “personal identifying information” to include biometric data, following the lead of states such as Illinois, Iowa, Nebraska and Wisconsin.
The law includes other requirements in addition to data breach notification. Similar to the laws in several other states, the New Mexico law requires companies and their service providers to “implement and maintain reasonable security procedures and practices” to protect the personal information of New Mexico residents. It also includes requirements regarding the proper disposal of records containing personal information.