New Mexico recently became the 48th state to pass some form of data breach notification legislation, leaving Alabama and South Dakota as the lone holdouts. The Data Breach Notification Act was signed by New Mexico Governor Susana Martinez on April 6, 2017. The law applies to persons that own or license personal identifying information of New Mexico residents, defined as an individual’s first name or first initial and last name in combination with a social security number, driver’s license number, government-issued ID number, account number plus security or access code or password, or biometric data. The statute is triggered by a security breach, defined as the unauthorized acquisition of data that compromises the security, confidentiality, or integrity of personal identifying information. Importantly, the statute contains a full exemption for entities “subject to” the Gramm-Leach-Bliley Act or HIPAA.
Like many other state data breach notification statutes, the New Mexico law incorporates a risk of harm analysis and does not require any notifications if a security breach does not give rise to a significant risk of identity theft or fraud. Otherwise, owners/licensors of personal data are required to notify individuals whose information is reasonably believed to have been subject to a breach within 45 days of discovery. The law specifies required content for these notifications, including information related to the type of data, the date of the incident, and a general description of the breach. Notification to the Attorney General is required if more than one thousand residents must be notified. This notification must occur within 45 days of discovery, and must include the number of affected residents as well as a copy of the individual notifications. Similarly, notification to the credit reporting agencies is required within 45 days of discovery if more than one thousand residents must be notified.
Data Security Requirements
In addition to the breach notification requirements discussed above, the New Mexico law requires “proper disposal” of records containing personal identifying information. “Proper disposal” means a form of disposal, such as shredding, that makes the records unreadable or undecipherable. The law also requires entities which own or license personal identifying information of New Mexico residents to implement and maintain reasonable security procedures and practices “appropriate to the nature of the information.” Along those lines, an entity which discloses such information pursuant to a contract with a service provider must require the service provider to implement and maintain such measures by contract.