The Data Breach Notification Act, House Bill 15,[1] passed New Mexico’s House and Senate on February 15 and March 15, 2017, respectively, without any opposition. New Mexico Governor Susana Martinez has until April 7, 2017 to sign the act into law, or it will be pocket vetoed.
Once the bill is signed, 48 states, the District of Columbia, Guam, Puerto Rico, and the Virgin Islands will have enacted some version of a data breach no tification law.[2] These statutes mandate that an entity notify residents when there has been unauthorized access or use of the individuals’ personally identifiable information (PII). With the passage of New Mexico’s statute, Alabama and South Dakota will be the only two remaining states without equivalent laws.
New Mexico’s Statute Largely Follows the Provisions of Other States
Under the Data Breach Notification Act, New Mexico residents would gain protections similar to those provided in many other jurisdictions. Specifically, after experiencing a security breach, defined as the unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of PII, an entity must notify all affected New Mexico residents within 45 days after discovery of the breach.[3] Notification may be delayed if law enforcement “determines that the notification will impede a criminal investigation.”[4] The entity must also notify the New Mexico attorney general and major consumer reporting agencies if it needs to notify more than 1,000 New Mexico residents. However, as part of a harmless exemption, the bill states that entities are not required to notify affected individuals “if, after an appropriate investigation, the person determines that the security breach does not give rise to a significant risk of identity theft or fraud.”[5]
The statute uses a common definition of PII, defining it as an individual’s first name or first initial and last name in combination with one or more of the following data elements that relate to the individual, when the data elements are not protected through encryption or redaction or otherwise rendered unreadable or unusable: (a) social security number; (b) driver’s license number; (c) government-issued identification number; (d) account number, credit card number or debit card number in combination with any required security code, access code or password that would permit access to a person’s financial account; or (e) unique biometric data, including the person’s fingerprint, voice print or retina or iris image.[6]
The New Mexico law does not follow the recent trend of including usernames or email addresses in combination with passwords or security questions and answers that has recently been added to the definition of PII in several jurisdictions.[7]
The statute also does not provide for an explicit private right of action. Instead, it gives the New Mexico attorney general the right to bring an action on behalf of affected individuals and in the name of the state for any violations of the Data Breach Notification Act. In such an action, the court could issue an injunction, award damages for costs (including consequential financial losses), and impose a civil penalty for knowing or reckless violations.[8]
The statute does follow the growing trend of requiring proper disposal of records containing PII, and also requires owners or licensees of PII to “implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the PII from unauthorized access, destruction, use, modification or disclosure.”[9]
Navigating the Multijurisdictional Framework
While there are many similarities among the jurisdictions’ notification statutes, all 52 jurisdictional statutes are unique, creating a complicated and oftentimes contradictory system. US Congress has yet to institute an overarching federal standard, so multijurisdictional companies are forced to navigate the intricacies of all the jurisdictions, with New Mexico now potentially added to the mix. Based on the many variations under individual state data breach laws, some have called for enactment of a uniform federal standard concerning data breach notification requirements.[10]
For example, many statutes, including the proposed New Mexico bill, require that a notice contain a description of the breach, and some states, such as Maine and Rhode Island, even require inclusion of the number of affected individuals.[11] However, other states require the exact opposite, with Illinois and Massachusetts prohibiting inclusion of the number of affected residents and Massachusetts completely prohibiting anything regarding “the nature of the breach.”[12]
As discussed above, New Mexico provides a harmless exemption to notification. The majority of jurisdictions also provide harmless exemptions, but each jurisdiction’s standard for this exemption differs. Companies with residents in all jurisdictions will be forced to make potentially 52 separate assessments regarding the possible harm and impact of a data breach. Therefore each case involving a potential data or security breach requires a careful assessment of the facts and circumstances and consideration of any legal consequences, including whether notification is mandated in each applicable jurisdiction.
[1] See House Bill 15 (HB 15).
[2] For a listing of the data breach notification statutes, see National Conference of State Legislatures, Security Breach Notification Laws.
[3] HB 15, §§ 6(A), (C).
[4] Id. § 9(A).
[5] Id. § 6(B).
[6] Id. § 2(C).
[7] See M. Krotoski, S. Tester, LawFlash: Three States Join Others to Expand Personal Information Definition to Include Usernames or Email Addresses (Jan. 3, 2017).
[8] HB 15, § 11.
[9] Id. §§ 3, 4.
[10] See, e.g., M. Krotoski, L. Wang, & J. Rosen, The Need to Repair the Complex, Cumbersome, Costly Data Breach Notification Maze, BNA’s Privacy & Security Law Report, 15 PVLR 271 (Feb. 8, 2016).
[11] HB 15, § 7; 10 Me. Rev. Stat. Ann. § 1348(4); R.I. Gen. Laws § 11-49.3-4(d)(1).
[12] HB 15, § 7; Mass. Gen. Laws ch. 93H, § 3(a); 815 Ill. Comp. Stat. § 530/10(a).