On April 6, 2017, New Mexico Governor Susana Martinez signed HB 15, making New Mexico the 48th state to enact a data breach notification law. The law has an effective date of June 16, 2017 and follows the same general structure of many of the breach notification laws in other states.
Importantly, the definition of personal identifying information (PII) under New Mexico’s Data Breach Notification Act includes biometric data (“a record generated by automatic measurements of an identified individual’s fingerprints, voice print, iris or retina patterns, facial characteristics or hand geometry that is used to uniquely and durably authenticate an individual’s identity when the individual accesses a physical location, device, system or account.”). We have seen a number of states (e.g. Illinois) implement or amend their own data breach notification laws to include elements such as biometric data.
The Data Breach Notification Act includes three key components: (i) Disposal of PII; (ii) Security Measures for Storage of PII; and (iii) Notification of a Security Breach.
Disposal of PII
Under the Act, organizations are required to arrange for the proper disposal of records containing the PII of New Mexico residents when they are no longer reasonably needed for business purposes. Proper disposal means shredding, erasing, or otherwise modifying the PII contained in the records to be unreadable or undecipherable.
Security Measures for Storage of PII
Organizations must implement and maintain – and contractually require their service providers and vendors to implement and maintain – reasonable security procedures and practices to protect the PII they own or license from unauthorized access, destruction, use, modification, or disclosure. Unlike California, New Mexico has not yet provided guidance on what constitutes reasonable security procedures and practices. Nevertheless, all organizations should be implementing safeguards to protect the personal and company information they maintain.
Notification of a Security Breach
In the event of a breach, the Act provides:
-
Notification must be provided to each New Mexico resident within forty-five (45) calendar days following discovery of the breach.
-
If the person maintains or possesses PII of a New Mexico resident (but is not the owner or licensee) notification must be provided to the owner or licensee of the PII within forty-five (45) calendar days following discovery of the breach.
-
Notification to each New Mexico residents must include:
-
The name and contact information of the notifying person;
-
A list of the types of PII reasonably relieved to have been subject to the breach;
-
The date(s), or estimated dates(s), of the breach;
-
A general description of the breach;
-
The toll-free numbers and addresses of the major consumer reporting agencies;
-
Advice directing the recipient to review account statements and credit reports to detect errors; and
-
Advice informing the recipient of their rights pursuant to the federal Fair Credit Reporting.
-
-
In the event of a breach affecting more than 1000 New Mexico residents, notification must be provided to the New Mexico Attorney General and the major consumer reporting agencies within forty-five (45) calendar days following discovery of the breach. Such notice must include a copy of the notification sent to affected residents.
-
Notification may be delayed at the request of law enforcement or as necessary to determine the scope of the breach and restore the integrity, security, and confidentiality of the system.
-
A risk of harm trigger. Specifically, notification is not required if, after an appropriate investigation, the person determines the breach “does not give rise to a significant risk of identity theft of fraud.”
-
The Act does not apply to a person subject to GLBA or HIPAA.
Under the Act, the New Mexico Attorney General may bring an action for injunctive relief and an award of damages for actual costs or loses, including consequential financial losses. If a violation of the Act is knowing or reckless, a civil penalty of the greater of $25,000 or, in the case of failed notification, $10 per instance of failed notification up to a maximum of $150,000.