Thirteen years after the first state data breach notification law was enacted, New Mexico has finally decided to join the other 47 states with such laws, sending HB15 in mid-March to Gov. Susana Martinez for signature.
New Mexico’s data breach law makes two notable departures from the laws in 47 other states. First, and what is perhaps the biggest step from the statutory norm, is its timeline. HB15 states that “[n]otification shall be made in the most expedient time possible, but not later than forty-five calendar days following discovery of the security breach.” Currently, Florida is the only state with a stricter (30-day deadline) but that state allows for a 15-day extension for good cause. There are only a handful of other states that have the same 45-day deadline. Second, New Mexico defines “security breach” as the “unauthorized acquisition of unencrypted computerized data” (emphasis added). This narrows the scope of the legislation beyond some of the other state data breach laws that are triggered by acquisition or access, and some of which cover (or are vague enough to cover) computerized or paper records.
There are two portions of HB15 that deviate – perhaps more modestly – from the statutory norm. First, if substitute notice is allowed, it requires that the entity disclosing the breach also provide notification to the Attorney General in addition to the normally required media and website notifications. Additionally, the content of all notices requires “advice that informs the recipient of the notification of the recipient's rights pursuant to the Fair Credit Reporting and Identity Security Act.” The “Notice of Rights” in New Mexico’s Fair Credit Reporting and Identity Security Act is a robust recital of rights pertaining to placing and removing credit freeze and the obligations of credit reporting agencies when such a request is made.
In all other respects, New Mexico’s HB15 is similar to various other state notification laws, including definition of personally identifiable information (PII), notice requirements, and substitute notice. Organizations should also be aware of the security obligations and requirements regarding proper disposal of PII, as not all data breach statues contain such requirements:
- Security Measures: Entities that maintain PII must maintain (or require their contractors to maintain) reasonable security procedures and practices appropriate to the nature of the PII to protect it from unauthorized access, destruction, use, modification, or disclosure.
- Proper Disposal of PII: Entities who own or license records containing PII are obligated to arrange for the shredding, erasing, or otherwise modifying of PII to make the PII unreadable or undecipherable.
Gov. Martinez has until April 7, 2017 to sign HB15 into law.