New Mexico became the 48th state last week to have a data breach notification law, leaving only Alabama and South Dakota without. The statute, which was signed into law by Governor Susana Martinez on April 6, 2017, contains a broad definition of personal identifying information that, if breached, gives rise to a duty to notify. The law will become effective June 16, 2017. Triggering information includes name and social security number, driver's license number, government-issued identification number, account number, credit or debit card number with password, or biometric data. A breach under the New Mexico law is defined as it is in many states, namely as the unauthorized acquisition of computerized data.

With this law, New Mexico joins the growing number of states that require notification to a state regulator in the event of a breach. Specifically, the New Mexico statute requires notification to the attorney general and consumer reporting agencies if the breach affected more than 1,000 New Mexico residents (similar to Hawaii, Missouri, and South Carolina). Notification to individuals and the attorney general is required within 45 calendar days of the date of discovery of the breach, although notification may be delayed if law enforcement determines that notification will impede an investigation or a delay is necessary to determine the scope of the breach. New Mexico also joins a handful of other states in requiring specific content in the notice to impacted individuals.

In addition to breach notice requirements, the law requires companies that own or license personal information to implement and maintain reasonable security measures when storing and using personal information. This includes enacting policies and procedures to protect personal information from “unauthorized access, destruction, use, modification, or disclosure.” These data protection requirements are similar to those that exist in California, Florida, Maryland, Massachusetts, Nevada, Rhode Island, Texas, and Utah.

TIP: Companies with nationwide breach notice plans should keep in mind the new requirement to notify the New Mexico Attorney General if over 1,000 New Mexico residents have been impacted. Care should be taken to also ensure that form notices include the contents required by New Mexico.