Breach Notification , Governance & Risk Management , Incident & Breach Response

New Mexico Governor Signs Data Breach Notification Law

Alabama, South Dakota Only States Without Such a Statute
New Mexico Governor Signs Data Breach Notification Law
New Mexico Capitol

Gov. Susana Martinez has signed legislation making the state New Mexico the 48th state to enact a data breach notification law.

See Also: Embracing Digital Risk Protection: Take Your Threat Intelligence to the Next Level

Martinez signed the act on April 6, more than three weeks after the New Mexico Legislature passed it (see New Mexico Set to Be 48th State with Breach Notification Law). The governor had until April 7 to sign the bill. The law takes effect on June 16.

Alabama and South Dakota remain the only states without a data breach notification law.

The New Mexico statute "follows the same general structure of many of the breach notification laws in other states," privacy lawyer Jason Gavejian says. "Importantly, the definition of personal identifying information under New Mexico's Data Breach Notification Act includes biometric data."

Only a handful of states including Illinois, Iowa, Nebraska and Wisconsin define PII to include biometric data, according to the law firm Mayer Brown LLP.

Law's Requirements

An analysis of the new statute by Mayer Brown says New Mexico deviates in a few ways from what is typically required by most other states data breach notification laws. "For example," the analysis says, "a service provider that processes data on behalf of a data owner must notify the owner of a breach 'in the most expedient time possible,' but not later than 45 days following discovery of the breach. In contrast, most states require service providers to notify data owners 'immediately,' and Florida and Georgia require notification by service providers within 10 days and 24 hours, respectively."

New Mexico's law requires businesses operating in the state to take reasonable security procedures to safeguard personally identifiable information. Unlike Massachusetts' law, the New Mexico measure is not prescriptive, giving much latitude to businesses to decide how best to protect PII.

The measure also requires organizations to notify the state attorney general if more than 1,000 New Mexicans fell victim to a breach.

Notification Provisions

Breached organizations must notify individuals "in the most expedient time possible, but not later than 45 days following discovery of the security breach," according to an analysis of bill by the law firm Baker Hostetler. Organizations would be exempt from notification if, after an investigation, it's determined the breach didn't pose a significant risk of identity theft or fraud.

Like notification laws in many other states, organizations would be exempt from complying with the New Mexico statute if they must comply with the Gramm-Leach-Bliley Act that governs financial institutions handling private information or the Health Insurance Portability and Accountability Act that regulates patient information.

The New Mexico law requires organizations to provide breach victims with advice on how to access personal account statements and credit reports to detect errors resulting from the security breach and also inform them of their rights under the Fair Credit Reporting and Identity Security Act.

About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.