New Mexico Enacts Data Breach Notification Statute

New Mexico has become the 48th state to adopt a data breach notification statute. The Data Breach Notification Act, known as H.B. 15, went into effect on June 16, 2017.

This new law applies to unencrypted computerized data as well as encrypted computerized data where the encryption code has also been compromised. It also applies to biometric data. Biometric data is defined to include any measurement of an individual’s fingerprints, voice, iris or retina patterns, hand geometry or facial characteristics that can be used to authenticate identity in order to access a device, account or physical location.

Pursuant to New Mexico’s statutory mandate, an entity that experiences a security breach involving the theft or loss of more than 1000 New Mexico residents’ personal information (“PII”) or protected health information (“PHI”) must, within 45 days of the discovery of the breach, provide  notice to, the New Mexico residents whose PII and/or PHI is reasonably believed to have been subject to the security breach, as well as major consumer reporting agencies unless an investigation determines that the security breach does not pose a significant risk of identity theft or fraud. In turn, the State Attorney General must be notified unless there has been a determination of no likelihood of harm:

Third-party providers are also required to notify data owners or licensors of the breach.  In turn, entities subject to the Gramm-Leach Bailey Act or HIPAA are exempt from this new law.

Among other information to be provided, the impacted New Mexico residents must be supplied with the name and contact information of the notifier, a list of the PII that is believed to have been impacted, the date of the breach, a description of the breach, advice as to an individual’s rights pursuant to the Fair Credit Reporting Act and the ability to check any account statements and obtain the toll free numbers of major consumer reporting agencies. Substitute notice is permitted if (i) alternative methods of notice would cost greater than $100,000, (ii) the affected class exceeds 50,000 persons or (iii) the responsible entity has insufficient contact information, 

Like many other states and Europe’s GDPR, New Mexico includes a data disposal provision that requires data owners to shred, make unreadable or erase the subject PII when the information is no longer needed for business purposes. It has also mandates that (i) the Attorney General be provided with a copy of the notification sent to all residents, and (ii) data owners must implement security procedures that will protect PII from any unauthorized access, destruction, modification, use or disclosure. Third-party service providers are also required to maintain security procedures. New Mexico has not yet provided any specific rules as to what constitutes effective security procedures.

In the event of a violation, the New Mexico Attorney General is authorized to seek injunctive relief and an award of damages for actual costs or losses, including consequential financial losses. In turn, where a court determines that a covered entity violated the statute knowingly or recklessly, the court may impose a civil penalty of up to $25,000 or $10.00 per instance of failed notification up to a maximum of $150,000. On the other hand, consumers are not authorized to pursue a private cause of action.

New Mexico’s adoption of its breach notification law leaves Alabama and South Dakota as the only two states without such a law. There are indications, however, that those states too may adopt their own notification laws in the not too distant future.