After years of legislative debate, New Mexico becomes the 48th state to enact a data breach notification law, leaving only Alabama and South Dakota as the two remaining states without such a law. New Mexico’s Data Breach Notification Act (the Act) goes into effect on July 1, 2017. The Act provides a 45-day deadline to report a data breach, which is less aggressive than other notification laws. However, the Act is more far-reaching in other areas. For instance, the Act includes “biometric data” in its definition of PII. It also requires owners of PII to adopt “reasonable” cybersecurity procedures and to contractually require their vendors to employ reasonable cybersecurity procedures. It also has provision addressing the “proper disposal” of records containing PII.
Some key provisions to the Act are:
Definitions
-
- The Act defines “personal identifying information” to include biometric data. “Biometric data” is defined as “a record generated by automatic measurements of an identified individual’s fingerprints, voice print, iris or retina patterns, facial characteristics or hand geometry that is used to uniquely and durably authenticate an individual’s identity when the individual accesses a physical location, device, system or account.” (“Personal identifying information” does not mean “information that is lawfully obtained from publicly available sources or from federal, state or local government records lawfully made available to the general public.”);
- The Act excludes from the definition of a “security breach” encrypted computerized data so long as the encryption key or code has not been compromised;
Notification and Deadlines
-
- A breach victim must provide notice to New Mexico residents within 45 calendar days of discovery of a security breach. If over 1,000 residents are affected, the state Attorney General and Consumer Reporting agencies also must be notified;
- Third-party service providers are required to notify the data owner or licensor within 45 days of discovery of a data breach;
- The Act lists the information that must be provided when notifying affected individuals of a data breach;
- However, notification is not required if, “after an appropriate investigation, the person determines that the security breach does not give rise to a significant risk of identity theft or fraud”;
Data Security Requirements
-
- The Act requires data owners and licensors to implement and maintain reasonable security procedures and practices “appropriate to the nature of the information” to be protected;
- Contracts with third-party service providers must require that the service provider implement and maintain reasonable security procedures and practices;
- The Act has a data disposal provision that requires data owners or licensors to arrange for “proper disposal” of records containing “personal identifying information,” including by shredding, erasing or otherwise making such information “unreadable or undecipherable” when it is no longer “reasonably needed” for business purposes;
Exemptions
-
- Companies that are subject to the Gramm-Leach Bliley Act and/or HIPAA are exempt from the Act.