New Mexico Passes Data Breach Notification Law
New Mexico recently became the 48th state to enact some type of legislation requiring companies to notify individuals of data breaches involving their personally identifiable information, leaving only Alabama and South Dakota as the lone holdouts. The law, which goes into effect on June 16, 2017 and is known as the "Data Breach Notification Act" (H.B. 15), largely follows data breach notification laws in other states, with some minor exceptions.
New Mexico's new law requires companies to notify affected individuals "in the most expedient time possible," when it is reasonably believed the information has been subject to a breach, but not later than 45 days after discovery. As in many other states, however, notification may be delayed if law enforcement "determines that the notification will impede a criminal investigation." The law also specifies the content of the notice, which must include the type of information believed to have been subject to the breach (to the extent known), the date of the incident (to the extent known), and a general description of the incident. If the breach involves more than 1,000 New Mexico residents, in addition to notifying the affected individuals, companies must also notify the state attorney general and the major consumer reporting agencies in the "most expedient time possible," but not later than 45 days after discovery of the breach.
The law includes a common definition of "personal identifying information," which is also defined to include unique biometric data. Notably, the law does not follow the recent trend of including usernames or email addresses in combination with passwords or security questions and answers that has recently been added to the definition of PII in several states, including California.
The law also requires companies "implement and maintain reasonable security procedures and practices appropriate to the nature of the information." This includes proper disposal of records containing PII. Additionally, an entity that discloses PII pursuant to a contract with a service provider must also require the service provider implement and maintain reasonable security procedures and practices by contract.
At Selman, our team can assist you in proactively developing and implementing a data breach response plan. In the event of an incident, our established response team is ready to assist you in managing and coordinating an appropriately tailored response.
Please contact Elaine Harwell for more information on this topic.