Then there were two.
On March 16, 2017, the New Mexico state legislature passed a bill requiring that New Mexico residents be notified if their “personal identifying information” was affected by a breach of electronic data. Upon signature of the bill, New Mexico will join 47 other states requiring such notification, and the only states remaining without notification laws will be Alabama and South Dakota.
The New Mexico law is similar to many other state data breach notification laws. Here are some of the bill’s particulars.
- Prescribed time to notify: With limited exceptions, one must notify affected individuals “in the most expedient time possible, but not later than forty-five calendar days following discovery of the security breach.”
- “Risk of harm” considered: An exception to notification arises if, after investigation, it is determined that the security breach does not give rise to a significant risk of identity theft or fraud.
- Data elements that trigger notification: The elements include first name or first initial and last name in combination with Social Security number; driver’s license number; government-issued identification number; account number, credit card number or debit card number in combination with a security code or password; and biometric data.
- Does the proposed law apply to paper or electronic data? It depends. The notification portion applies only to unencrypted computerized data, but other portions may apply to paper records.
- Content of the individual notification: The notification to those affected must include the name and contact information of the notifying person; a list of the types of personal identifying information subject to a security breach, if known; the date or estimated date of the breach, if known; a general description of the security breach incident; the toll-free telephone numbers and addresses of the major consumer reporting agencies; advice that directs the recipient to review personal account statements and credit reports to detect errors resulting from the security breach; and advice that informs the recipient of the notification of the recipient’s rights pursuant to the Fair Credit Reporting and Identity Security Act.
- Notification to the AG: The New Mexico attorney general must be notified if more than 1,000 New Mexico residents are affected.
- HIPAA/GLBA exception: The proposed law does not apply to those subject to the Gramm-Leach-Bliley Act or HIPAA.
As in some other states (including California and Texas), the bill also contains a data protection provision requiring reasonable security procedures to protect personal identifying information. While not as detailed or onerous as the law in Massachusetts (which requires, among other things, specific elements of a security program, including encryption where possible), the passed bill states
[a] person that owns or licenses personal identifying information of a New Mexico resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal identifying information from unauthorized access, destruction, use, modification or disclosure.
In addition, when personal identifying information of a New Mexico resident is disclosed to a service provider by contract, the contract must require that the “service provider implement and maintain reasonable security procedures and practices appropriate to the nature of the personal identifying information and to protect it from unauthorized access, destruction, use, modification or disclosure.”
Now we play the waiting game for either state No. 49 to throw its hat into the notification ring or the federal government to pass a law that would unify notification obligations across all states.
I’m not holding my breath for the latter.