New Mexico Governor Signs Data Breach Notification LawAlabama, South Dakota Only States Without Such a Statute
Gov. Susana Martinez has signed legislation making the state New Mexico the 48th state to enact a data breach notification law.
Martinez signed the act on April 6, more than three weeks after the New Mexico Legislature passed it (see New Mexico Set to Be 48th State with Breach Notification Law). The governor had until April 7 to sign the bill. The law takes effect on June 16.
Alabama and South Dakota remain the only states without a data breach notification law.
The New Mexico statute "follows the same general structure of many of the breach notification laws in other states," privacy lawyer Jason Gavejian says. "Importantly, the definition of personal identifying information under New Mexico's Data Breach Notification Act includes biometric data."
Only a handful of states including Illinois, Iowa, Nebraska and Wisconsin define PII to include biometric data, according to the law firm Mayer Brown LLP.
An analysis of the new statute by Mayer Brown says New Mexico deviates in a few ways from what is typically required by most other states data breach notification laws. "For example," the analysis says, "a service provider that processes data on behalf of a data owner must notify the owner of a breach 'in the most expedient time possible,' but not later than 45 days following discovery of the breach. In contrast, most states require service providers to notify data owners 'immediately,' and Florida and Georgia require notification by service providers within 10 days and 24 hours, respectively."
New Mexico's law requires businesses operating in the state to take reasonable security procedures to safeguard personally identifiable information. Unlike Massachusetts' law, the New Mexico measure is not prescriptive, giving much latitude to businesses to decide how best to protect PII.
The measure also requires organizations to notify the state attorney general if more than 1,000 New Mexicans fell victim to a breach.
Breached organizations must notify individuals "in the most expedient time possible, but not later than 45 days following discovery of the security breach," according to an analysis of bill by the law firm Baker Hostetler. Organizations would be exempt from notification if, after an investigation, it's determined the breach didn't pose a significant risk of identity theft or fraud.
Like notification laws in many other states, organizations would be exempt from complying with the New Mexico statute if they must comply with the Gramm-Leach-Bliley Act that governs financial institutions handling private information or the Health Insurance Portability and Accountability Act that regulates patient information.
The New Mexico law requires organizations to provide breach victims with advice on how to access personal account statements and credit reports to detect errors resulting from the security breach and also inform them of their rights under the Fair Credit Reporting and Identity Security Act.