With the signing of HB 15 on April 6, 2017, New Mexico became the 48th state and 52nd US jurisdiction to enact a data breach notification law, leaving only Alabama and South Dakota to go. The Data Breach Notification Act, which goes into effect June 16, 2017, is similar to many long-standing state breach notification laws, but it also incorporates several recent trends in breach notification amendments identified by the RADAR team.
Let’s look at key provisions in the act and how they line up with recent trends.
Trend: Expanded scope of personal information
The Act’s definition of personal information goes beyond name, Social Security number, driver’s license number, and financial account information to include biometric data.
Trend: Required notification to the state attorney general
If a breach requires notification to more than 1,000 residents, the Act requires regulated entities to notify the attorney general and major consumer reporting agencies.
Trend: Specified notification timelines to individuals
The Act requires that affected individuals be notified no later than 45 calendar days following discovery rather than a more typical timeline of “in the most expedient time possible and without unreasonable delay.”
Trend: Specified notification contents
The Act requires that notification to affected individuals include specific information, such as the name and contact information of the notifying person and a list of the types of personal identifying information subject to a security breach, if known.
New Mexico House Bill 15, Data Breach Notification Act
- And Then There Were 48 (States): New Mexico Enacts a Security Breach Notification Statute, from the Davis Wright Tremaine Privacy & Security Law Blog
- New Mexico Passes Data Breach Notification and Protection Bill, from the BakerHostetler Data Privacy Monitor
- Security Breach Notification Becomes More Complex for Employers, from Lexology
What this means for privacy and security teams
As one of the last holdouts to implement a breach notification law, New Mexico’s recent change underlines the importance of personal information protection and breach notification. Rep. Bill Rehm, who sponsored the bill, explained in an interview that,
"New Mexico is one of three states that do not have a data breach notification law. Our laws have not kept up with the pace of technology. This bill will remedy a gap in our existing consumer protections and put us on par with other states."
The burden of those who must comply with unique laws in multi-jurisdictional breaches just got a little more complex. As Mark L. Krotoski and Jenny Harrison of Morgan Lewis & Bockius LLP wrote in a recent article,
“While there are many similarities among the jurisdictions’ notification statutes, all 52 jurisdictional statutes are unique, creating a complicated and oftentimes contradictory system. Companies with residents in all jurisdictions will be forced to make potentially 52 separate assessments regarding the possible harm and impact of a data breach.”
If you’re a RADAR customer, the RADAR regulatory team continuously tracks changes in data breach notification laws for you and ensures that any regulatory changes in data breach notification regulations are applied in RADAR prior to enforcement. Summaries of all data breach notification statutes, including New Mexico House Bill 15, are available for reference within the RADAR Law Overviews.
- 2016 Trends in Data Breach Notification Law
- Now in Effect: Rhode Island Data Breach Notification Law
- Now in Effect: California Data Breach Notification Law