New Mexico Enacts Data Breach Notification Act
On April 6, New Mexico Governor Susana Martinez signed into law the Data Breach Notification Act (H.B. 15), making New Mexico the 48th state to pass a data breach notification law. Under the new law—which is scheduled to take effect on June 16—companies are now required to notify any New Mexico residents (and in certain circumstances consumer reporting agencies and the state’s attorney general) following the discovery of a “security breach” involving that resident’s “personal identifying information.” The Act—which unanimously cleared both New Mexico’s House and Senate—also establishes standards for the secure storage and disposal of data containing personal identifying information and provides for civil penalties for violations.
According to the Act, “personal identifying information” consists of an individual’s first name or first initial and last name in combination with any one or more of the following data elements: (i) Social Security number; (ii) driver's license number or government issued identification number; (iii) account number, credit card, or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account; or (iv) biometric data. As with many other states’ breach notice laws, the term “security breach” is defined as “the unauthorized acquisition of unencrypted computerized data, or of encrypted computerized data and the confidential process or key used to decrypt the encrypted computerized data, that compromises the security, confidentiality or integrity of personal identifying information maintained by a person.” However, notice to affected residents is not required if the entity “determines that the security breach does not give rise to a significant risk of identity theft or fraud.” The Act also sets out the required contents of, and methods for providing, notification—which generally must be made no later than 45 days after the breach was discovered—including substitute methods if certain criteria are met. Certain entities, including those subject to GLBA or HIPAA, are exempt from the requirements of the Act.
Notably, the Act does not provide its citizens with a private right of action, but rather charges the state’s attorney general with enforcing the Act through legal actions on behalf of affected individuals. The Act provides for the issuance of injunctive relief and/or damages for actual losses including consequential financial losses. For knowing or reckless violations of the Act, a Court also may impose civil penalties of $25,000, or in the case of a failure to notify, a penalty of $10 per instance up to a maximum penalty of $150,000.