New Mexico became the most recent jurisdiction to enact a Data Breach Notification Act, joining numerous other states in passing legislation to address the issue of consumer notification in the event of a cyber-attack involving personal information. Under the terms of the statute, financial services entities are exempt.
Over the past few years, a significant number of states and territories have enacted security breach notification laws. New Mexico joined the fray, passing the Data Breach Notification Act (HB 15) (“Act”). The main purpose of the Act is to protect personal identifying information (“PII”) and compel the notification of consumers when such information is breached or used without authorization.
The Act requires any entity that owns or licenses any amount of PII of a New Mexico resident to provide notification in the event of a data breach where it is reasonably believed PII was the subject of the breach. Such notification must be: 1) made within 45 days; 2) sent either by U.S. Mail or, in certain situations, electronic notification; 3) contain at least the name and contact information of the entity that suffered the breach, the type of PII reasonably believed to have been the subject of the breach, the date of the breach, a general description of the breach, contact information of major consumer reporting agencies, and advice to check personal accounts for irregularities and rights under the Fair Credit Reporting Act.
Importantly, if the entity suffering the breach determines that the breach did not give rise to a significant risk of identity theft or fraud, they are not required to send notification. A notification may be delayed in the event a law enforcement agency determines that such a notification will interfere with a criminal investigation, or if the entity believes it needs more time to determine the scope of the breach. The Act does not apply to any person or entity subject to the Gramm-Leach-Bliley Act.
The Act also includes specific requirements for disposal of records containing PII, storage and protection of PII, and implementation of security measures with respect to service provider/third-party use of PII.
When the Attorney General of New Mexico has a reasonable belief that a violation of the Act has occurred, they may bring an action on behalf of the affected parties. If the court determines that the act was knowingly or recklessly violated, a civil penalty will be levied; the greater of $25,000 or – in the case of a failed notification – $10 per instance of failure, not to exceed $175,000.
The entire text of the bill may be found here.