New Mexico Data Breach Notification
NM Stat § 57-12C-1 - § 57-12C-12
SUMMARY:
EFFECTIVE. June 16, 2017
WHO DOES THIS LAW APPLY TO. Applies to individuals, businesses, governmental entities, and other entities that own, license, or maintain personal information.
WHAT IS A BREACH. Unauthorized acquisition of unencrypted computerized data, or of encrypted computerized data and the confidential process or key used to decrypt the encrypted computerized data, that compromises the security, confidentiality, or integrity of personal identifying information maintained by a person or entity. Does not include the good-faith acquisition of personal identifying information by an employee or agent of a person for a legitimate business purpose of the person, provided that the personal identifying information is not subject to further unauthorized disclosure.
WHAT IS PERSONAL INFORMATION. First name or first initial and last name, in combination with one or more of the following data elements, when such data is not encrypted, redacted, or otherwise rendered unreadable or unusable:
-
Social Security number.
-
Driver’s license or government-issued identification number.
-
Financial account number, including a credit or debit card number, in combination with any required security code, access code or password that would permit access to an individual’s financial account.
-
Biometric data.
WHO TO NOTIFY OF THE BREACH. If more than 1,000 residents must be notified, must also notify the Attorney General in the most expedient time possible, but no later than 45 days. Notice to the Attorney General must include the number of residents notified and a copy of the notice sent to New Mexico residents. If 1,000 or more residents must be notified, must also notify each nationwide consumer reporting agency in the most expedient time possible, but no later than 45 days.
EXCEPTION. The provisions of the Data Breach Notification Act shall not apply to a person or business that are subject to the following:
-
A person, business, or government agency that is subject to and complies with the Gramm-Leach Bliley Act, 15 U.S.C. §§ 6801-6810.
-
Federal Health Insurance Portability and Accountability Act of 1996 (HIPPA), 42 U.S.C. 300gg et seq.
WHEN TO NOTIFY OF THE BREACH. Notice must be made in the most expedient time possible, but not later than 45 days after discovery of the breach, consistent with measures necessary to determine scope of the breach, and restore the integrity, security, and confidentiality of the system. Notification may be delayed if law enforcement determines that notice will impede a criminal investigation. Notification not required if the covered entity, after an appropriate investigation, determines that the breach does not pose a significant risk of identity theft or fraud.
HOW TO NOTIFY OF THE BREACH. Notice may be provided by one of the following methods:
-
Written notice via U.S. Mail.
-
Electronic notice if the entity primarily communicates with the resident electronically or if the notice is otherwise consistent with E-SIGN.
-
Substitute notice is also available under certain circumstances.
The notification must include:
-
The covered entity’s name and contact information.
-
A general description of the security breach.
-
The date, estimated date, or range of dates the breach occurred (if known).
-
A list of the types of personal information reasonably believed to have been subject to the breach.
-
The toll-free numbers and addresses of the major consumer reporting agencies.
-
Advice to review personal account statements and credit reports for errors.
-
Advice regarding consumer rights under the Fair Credit Reporting Act.
SUBSTITUTE NOTICE AVAILABLE. Substitute notice is available if the cost to provide notice would exceed $100,000, the affected class of residents to notify exceeds 50,000, or the covered entity does not have sufficient contact information to give notice. Substitute notice must include:
-
Email notice when the covered entity has email addresses for the affected residents.
-
Conspicuous posting of the notice on the covered entity’s website if it maintains one.
-
Notification to the Attorney General’s Office.
-
Notification to statewide major media outlets.
NOTICE TO THIRD-PARTIES. An entity that maintains personal information that it does not own, or license must notify the owner or licensee in the most expedient time possible, but no later than 45 days after discovery of a breach. Notification to owner or licensee is not required if, after appropriate investigation, the entity determines that the breach does not pose a significant risk of identity theft or fraud.
CONSEQUENCES FOR FAILING TO NOTIFY. The Attorney General may bring an action for violation of the statute. A violation may be subject to injunction or damages for actual costs or losses, including consequential losses. Knowing or reckless violations may be subject to additional penalties up to $25,000, or $10 per failed notification up to $150,000.
PRIVATE RIGHT OF ACTION. None provided in the statute.
REQUIREMENTS OF REASONABLE SECURITY MEASURES.
DATA DISPOSAL PROVISIONS. N.M. Stat.§ 57-12C-3. A person that owns or licenses records containing personal identifying information of a New Mexico resident shall arrange for proper disposal of the records when they are no longer reasonably needed for business purposes. As used in this section, "proper disposal" means shredding, erasing or otherwise modifying the personal identifying information contained in the records to make the personal identifying information unreadable or undecipherable.
LEGISLATIVE UPDATES.
H.B. 15 – Signed into law on 4/6/2017, Effective 6/16/2017.
For more information, see here: https://nmonesource.com/nmos/nmsa/en/item/4423/index.do#!fragment/zoupio-_Toc99444845/BQCwhgziBcwMYgK4DsDWszIQewE4BUBTADwBdoAvbRABwEtsBaAfX2zgE4OAWXgDm4BWAJQAaZNlKEIARUSFcAT2gByFaIiEwuBHIXK1GrTpABlPKQBCygEoBRADJ2AagEEAcgGE7o0mABG0KTswsJAA
These materials were obtained directly from the State Legislative websites and are posted here for your review and reference only. No Claim to Original State Government Works. This may not be the most recent version. The State may have more current information. We make no guarantees or warranties about the accuracy or completeness of this information, or the information linked to. Please check the linked sources directly.