New Mexico’s Data Breach Notification Law: Déjà Vu All Over Again?
The Land of Enchantment’s first data breach notification law is set to take effect on June 16, 2017. But how much does it really change what your company may already be doing to comply with the other 47 state data breach notification statutes?
On April 6, 2017, New Mexico Governor Susana Martinez signed the Data Breach Notification Act (H.B. 15) into law, making New Mexico the 48th state — along with Washington, D.C., Guam, Puerto Rico, and the U.S. Virgin Islands — to require notification to consumers following a data security incident affecting residents’ personal information.
The act, which goes into effect on June 16, 2017, comes some 14 years after California’s breach notification statute — the first of its kind in the nation — took effect in 2003. Alabama and South Dakota now stand alone as the only states that do not have any consumer data breach notification requirements on their books (though that too may change in the near future).
The act adds yet another layer to the already complex patchwork of state data breach notification standards across the country, where businesses that operate in multiple states have to comply with different notification standards and timeframes following a breach, depending upon where their customers live.
While the act’s passage is important, companies that already must comply with other state data breach notification statutes may wonder if there is anything new under the New Mexican sun.
Key Aspects of New Mexico’s Data Breach Notification Statute
- What Is Personal Information? New Mexico’s law defines personal information as a resident’s first name or first initial and last name when combined with: their Social Security number; driver’s license or other government-issued ID number; financial account information, including a debit or credit card number, and the means to access the account; or biometric data.
- “Biometric data” includes an individual’s fingerprints, voice print, iris or retina patterns, facial characteristics, or hand geometry that is used to authenticate the individual’s identity when accessing a physical location, device, system, or account.
- What Is Covered? The act applies to electronic information only. The statute also contains an encryption safe harbor, meaning that notification may not be required when the data is protected by encryption. However, the safe harbor does not apply if the encryption key is also compromised.
- What Is a “Breach”? The act defines a breach as an unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of any personal information maintained.
- Whom to Notify? In addition to notifying New Mexico residents, a company must also notify the New Mexico Attorney General and the major consumer reporting agencies if more than 1,000 residents have to be notified.
- When Is Notification Not Required? Notification to New Mexico residents and regulators is not required if, after an appropriate investigation, the company determines that the breach does not give rise to a significant risk of identity theft or fraud.
- When Must Notification Occur? A company or other entity that owns or licenses personal information concerning New Mexico residents must notify the affected residents, the attorney general, and the credit reporting agencies in the most expedient time possible, but no later than 45 days after discovery.
Incidentally, a third party who maintains or possesses personal information of New Mexico residents must similarly notify the information owner or licensee about a breach in the most expedient time possible, but also no later than 45 days after its discovery of the breach.
- What Needs to Be Included in the Notification? Notification to New Mexico residents must include: the notifying company’s name and contact information; a general description of the breach; the date, estimated date, or range of dates the breach occurred (if known); a description of the types of personal information reasonably believed subject to the breach; the toll-free numbers and addresses of the credit reporting agencies; advice to review account statements and credit reports for errors; and advice regarding consumer rights under the federal Fair Credit Reporting Act.
Notification to the New Mexico Attorney General must include a copy of the consumer notice and the number of state residents notified.
- Who Is Exempt? The act does not apply to companies subject to Health Insurance Portability and Accountability Act or Gramm-Leach-Bliley Act.
- Other Provisions: The act also contains data disposal requirements, mandating that companies subject to the statute shred, erase, or otherwise modify records containing personal information to be unreadable when they are no longer reasonably needed for business purposes. Additionally, subject companies must also employ reasonable security procedures to protect personal information from unauthorized access, destruction, use, modification, or disclosure, and must contractually require third-party service providers to do likewise.
How New Mexico Compares to the Other States
On the whole, the act is not dramatically different from the majority of the current state data breach notification laws. Indeed, the act seems to incorporate those laws’ definitions of personal information and notification requirements. This should be welcome news to businesses that already have procedures in place to give notice to consumers and regulators consistent with current state laws.
The table below summarizes the current data breach notification landscape and should help businesses identify how New Mexico’s new breach notification regime aligns with, and differs from, the majority of other state data breach notification laws.
Current State Data Breach Notification Landscape
|How many states currently have breach notification laws?||
Including New Mexico, 48 states have data breach notification statutes, plus Washington, D.C., Guam, Puerto Rico, and the Virgin Islands now have breach notification laws enactedAlabama and South Dakota do not have data breach notification statutes—yet
|What types of information are covered?||
All states cover electronic information that contains personal information10 states also cover paper records that contain personal information
|What if the data is encrypted?||
All states require notification of consumers regarding breaches of unencrypted data containing personal information
The majority of states have an encryption safe harbor, excluding data that is encrypted or otherwise protectedOne state, Tennessee, arguably requires notification even if personal information is encrypted
|How do states define “personal information”?||
All states generally define personal information as an individual’s first name or initial and last name, combined with one or more of the following data elements: an individual’s Social Security number, driver’s license or state ID card number, or financial account number with means to access the account
A number of states also include additional data elements in their definition of personal information:
California has specific notification requirements when a licensed clinic, health facility, home health agency, or hospice has a breach affecting “medical information,” defined as individually identifiable information regarding a patient’s medical history, mental or physical condition, or treatment.
|Is notification to consumers always required?||37 states and Guam only require notification if the company determines that there is a likelihood of harm to consumers from the breach|
|When does notice have to be made?||
38 states require notice to be made in the “most expedient time possible”
10 states also have outer time limits, requiring notice to be made within a set time after discovery of a breach:
|What needs to be included in the notice?||22 states, plus Puerto Rico, require consumer notice to contain particular content. Note that Massachusetts specifically prohibits mentioning any details about the nature of the breach.|
|Do state regulators need to be notified as well?||
26 states as well as Puerto Rico require notification of state regulatory officials, typically the state attorney general, under certain circumstances
10 states and Puerto Rico have specified outer time limits, requiring notice to state regulators to be made within a set time period after discovery of a breach (assuming applicable numerical thresholds of affected consumers have been met):
Because no two data breach notification laws are exactly alike, companies will still need to pay close attention to the specifics of the act and consider how their duties to notify consumers and regulators may differ from state to state. Such companies should carefully examine their current breach notification procedures in light of the act and speak with experienced counsel on how they should revise their breach response procedures.