We are almost to a point where all 50 states and the District of Columbia will have some form of data breach notification law on their books to protect residents’ personally identifying information (PII) in the event of a data breach.  The three holdout states are Alabama, New Mexico and South Dakota.  But that’s about to change in New Mexico.  The state legislature recently passed the Data Breach Notification Act (H.B. 15) and the legislation is awaiting Governor Susana Martinez’s signature.

Some highlights of the legislation:

  • A “security breach” is defined as the “unauthorized acquisition of unencrypted computerized data, or of encrypted computerized data and the confidential process or key used to decrypt the encrypted computerized data, that compromises the security, confidentiality or integrity of personal identifying information maintained by a person.”
  • It requires the proper disposal of PII when records containing such are “no longer reasonably needed for business purposes.”
  • It requires that any person that owns or maintains PII of New Mexico residents must “implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal identifying information from unauthorized access, destruction, use, modification or disclosure.”
  • In the event of a security breach, notification must be provided within 45 days.  However, New Mexico will be a “risk of harm” state, meaning that notice will not be required if the incident does not “give rise to a significant risk of identity theft or fraud.”
  • The notification letter must include specific content, including (but not limited to) the types of PII compromised, date of the breach, a general description of the breach, contact information for the three major credit bureaus, and “advice that directs the recipient to review personal account statements and credit reports, as applicable, to detect errors resulting from the security breach.”
  • Notice is required to be provided to the state attorney general and the three major credit bureaus if the breach affects more than 1,000 New Mexico residents.