New Mexico is the 48th state to enact a data breach law. That law, the Data Breach Notification Act (HB15), is scheduled to take effect on June 16, 2017. Alabama and South Dakota are now the only states without a data breach notification law.
The New Mexico law is like other state breach notification laws in that the notification requirement is tied to the unauthorized acquisition of unencrypted computerized data that compromises the security or confidentiality of “personally identifiable information” (PII). As is also customary, PII is defined as an individual’s first name or initial plus last name and either a social security number, driver’s license number, government-issued identification number, or account or credit card/debit number plus security code or password. Unlike many states, however, the law also includes biometric data in the definition of PII. The law also requires that owners and licensees of PII properly dispose of it and implement reasonable security procedures to protect PII, and companies must require service providers to likewise implement and maintain reasonable security procedures appropriate to the nature of the PII.
Companies that experience a reportable breach must notify all affected New Mexico residents within 45 days of discovery of the breach, unless a company determines that the breach does not give rise to a significant risk of identity theft or fraud. If more than 1,000 New Mexico residents are affected, then a company must also notify the Attorney General and the three major consumer reporting agencies within 45 days.
Tennessee recently amended its data breach notification law by reinstating an encryption safe harbor. Tennessee was the first and only state to extend data breach notification obligations to encrypted data as well as unencrypted data, so the recent amendment realigns the Tennessee law with those of other states in that regard.
To view Keller and Heckman LLP’s latest summary of all U.S. state data breach notification laws, available on our website, click here.