On April 6, 2017, New Mexico joined 47 states, D.C., Guam, Puerto Rico, and the U.S. Virgin Islands when Governor Susana Martinez signed House Bill 15, codifying the Data Breach Notification Act.  With New Mexico becoming the 48th state to enact a security breach notification statute, only Alabama and South Dakota have not codified requirements for reporting a data breach incident.  When New Mexico’s law goes into effect on June 16, 2017, not only will it govern data breach notification requirements for entities storing and using personal identifying information about New Mexico residents, but it will also establish requirements for securing and disposing of that information.

New Mexico is now in line with the majority of states’ data breach notification statutes.  For example, the data breach provisions come into play whenever there is an unauthorized acquisition of computerized data that includes personal identifying information, as specifically defined, relating to a New Mexico resident and the acquisition creates a significant risk of that resident suffering from identity theft or fraud as a result.  If the statute is triggered, notifications to the affected residents and, in certain circumstances, the New Mexico Attorney General and major National Credit Reporting Agencies, must be made through certain methods and detailing certain information.  While many of these elements mirror those codified in other states’ analogous legislation, several elements of New Mexico’s statute stand out.

Key Takeaways and Unique Elements of New Mexico’s Security Breach Notification Statute

  • Notifications to New Mexico residents (and to the Attorney General and Consumer Reporting Agencies if over 1,000 residents are impacted by a single incident) must be made within forty-five (45) calendar days of discovery of the security breach.
  • The 45-day deadline may be delayed at the request of law enforcement OR as necessary to determine the scope of the breach or restore the integrity, security, and confidentiality of the data system.
    • Therefore, notifications produced after this deadline due to ongoing forensics investigations seeking to determine what happened, who was affected, and what the resulting risk might be and/or efforts to resolve vulnerabilities and fortify the system may not be in violation of this statute.
  • Notification is not required where an investigation determines that the security breach did not give rise to a significant risk of identity theft or fraud.
  • Third-party service providers that are granted access to residents’ personal identifying information must conduct the same investigation and meet the same 45-day deadline (subject to the permissible notification delay provision) when determining whether notification to the data owner or licensor is required.
  • Where providing notifications through the substitute notification method, in addition to other standard elements, notification must also be sent to the Attorney General regardless of the number of residents affected by the security breach.
  • Entities subject to GLBA or HIPAA are entirely exempted from the provisions of this statute.
  • In addition to codifying obligations with respect to security breach notifications, the statute requires subject entities to:
    • Implement reasonable security procedures and practices;
    • Contractually require third-party service providers to also implement reasonable security procedures and practices; and
    • Ensure proper disposal of records containing New Mexico residents’ personal identifying information when no longer reasonably needed for business purposes.

Further details on data breach notification requirements, as codified by the remaining 47 states (plus D.C., Guam, Puerto Rico, and the U.S. Virgin Islands), are available on the DWT State Data Breach Heat Maps.