Last week, the New Mexico state legislature passed a bill requiring that New Mexico state residents be notified if their non-encrypted “personal identifying information” (including biometric data) is breached. Once the bill is signed into law, New Mexico will join 47 other states with similar notification laws, and the only two hold-outs will be South Dakota and Alabama. Because not all state notification laws are identical, targets of a data breach must determine the requirements of each applicable statute, which can be a daunting task.
Dubbed the “Data Breach Notification Act,” the New Mexico bill requires that entities notify residents “in the most expedient time possible, but not later than forty-five calendar days following discovery of the security breach” unless an exemption applies, such as a request by law enforcement to delay notification. The bill also sets forth the required content of the notification, and acceptable methods of providing the notice. If more than 1000 residents are effected, the breached entity must also notify the state Attorney General and each major credit reporting agency. If the Attorney General has a reasonable belief that a company has failed to comply with the Act, it can bring an action on behalf of the individuals effected.
In addition to the notification requirement, the bill also contains mandates regarding data handling. For example, anyone that owns or licenses records containing personal identifying information (“PII”) of a NM resident must arrange for proper disposal of the records when they are “no longer reasonably needed for business purposes.” Persons or entities that own or license PII are also required to “implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the [PII] from unauthorized access.” And anyone that discloses PII pursuant to a contract with a service provider must contractually require the service provider to implement and maintain reasonable security procedures and practices to protect the PII from unauthorized access.
The bill can be accessed here: https://www.nmlegis.gov/Sessions/17%20Regular/bills/house/HB0015JCS.pdf