The New Mexico Legislature passed the ‘Data Breach Notification Act’ (the Act) on March 15. The Act is now with Governor Susana Martinez who has 20 days from the date the Act was passed to sign it into law. If enacted, the Act would require a person, other than a person who is subject to the Health Insurance Portability and Accountability Act of 1996 or the Gramm-Leach-Bliley Act, that “owns or maintains” records containing a New Mexico resident’s personal identifying information (PII) to notify the resident if his or her PII is “reasonably believed” to have been subject to a security breach. In most cases, notification will be required within 45 days.
Under the Act, PII is defined as an individual’s last name and first name or first initial in combination with one or more specified data elements, when the data elements are not rendered unreadable or unusable through encryption, redaction, or another means. The five specified data elements or categories of data elements in the Act are (i) social security number; (ii) driver’s license number; (iii) government-issued identification number; (iv) biometric data, such as fingerprint, voice print, or retina image; and (v) account number, such as credit card or bank account number when combined with an access code that would permit access to the account.
Additionally, the definition of “security breach” is the unauthorized acquisition of computerized data that compromises the security or integrity of PII. Therefore, the Act does not appear to require notification of a security breach of PII in paper records or an unreadable digital format. It also does not appear that notification would be required under the Act when a breach results in the unauthorized access of PII, but not the unauthorized acquisition of PII. Further, notification is not required if an “appropriate investigation” reveals that the security breach does not give rise to a significant risk of identity theft or fraud.
In general, the timeframe for individual notice under the Act is “in the most expedient time possible”, but no later than 45 calendar days following the discovery of the security breach. Additional notice must be sent to the Office of the Attorney General and major consumer credit agencies if the PII of 1,000 or more New Mexico residents was involved in a single security breach. If providing individual notice would cost $100,000 or more, a person can provide “substitute” notice, which includes, among other things, sending written notice of the security breach to major media outlets in New Mexico. Breach notices must contain seven elements, including the phone numbers of major consumer credit agencies, advice that directs the recipient to review their account statements and credit history for errors resulting from the security breach, and advice that informs the recipient of their rights under New Mexico’s Fair Credit Reporting and Identity Security Act.
In addition to breach notification, the Act implements flexible security standards for the storage, use, and disposal of PII. A person who owns or licenses PII must “implement and maintain reasonable security procedures and practices appropriate to the nature of the information” to protect PII. Further, a person who owns or licenses PII must arrange for its “proper disposal”, defined as shredding, erasing, or otherwise making the PII unreadable, when the PII is “no longer reasonably needed for business purposes.” A person who discloses PII to a subcontractor must require the subcontractor to implement similar safeguards in its contract.
The Act enables the attorney general to bring an action on behalf of affected individuals based on a reasonable belief that a violation of the Act has occurred. The court can issue an injunction and award damages for actual and consequential losses. If the court determines that a person violated the Act knowingly or recklessly, it may additionally impose a civil penalty of the greater of $25,000 or $10 per failed notification, up to $150,000.
If the Act becomes law, New Mexico will add to a patchwork of breach notification laws passed by 47 other states, Washington D.C., and three U.S. territories. Breach notification requirements differ from state to state, and state requirements can differ from federal requirements. In addition, the field of currently enacted legislation is subject to change. In 2016, there were more than 50 bills related to breach notification proposed at the state level. Companies who handle personal information must understand the various federal and state laws to which they are subject and be aware of changes in legislation.