On February 15, 2017, the New Mexico State House of Representatives unanimously passed the Data Breach Notification Act (HB-15) (the “Act”). Should this bill pass the state Senate and be signed into law, Alabama and South Dakota will become the only two states to yet enact a law which requires organizations to notify residents in the event of a data breach. The provisions of the Act do not stray too far from the general provisions that are seen in other states’ breach notification laws, and among other things require (i) notification to persons affected by a security breach involving personal identifying information, (ii) secure storage and disposal of data containing personal identifying information, and (iii) notification to consumer reporting agencies, the office of the attorney general and card processors in certain circumstances. Some highlights of the Act include the following:
- Personal Identifying Information includes unique biometric data, including a person’s fingerprint, voice print or retina or iris image;
- Personal identifying information of a New Mexico resident shall be disposed of when they are no longer reasonably needed for business purposes (meaning shredding, erasing or otherwise making unreadable or undecipherable);
- Any person that discloses personal identifying information of a New Mexico resident pursuant to a contract with a service provider shall require by contract that the service provider implement and maintain reasonable security procedures and practices;
- Any person that owns or maintains elements that include personal identifying information of a New Mexico resident shall provide notification to each New Mexico resident whose personal identifying information is reasonably believed to have been subject to a security breach. Notification shall be made in the most expedient time possible, but not later than thirty calendar days following discovery of the security breach, However, notification to affected New Mexico residents is not required if, after an appropriate investigation, the person determines that the security breach does not give rise to a significant risk of identity theft or fraud;
- Any person that maintains or possesses computerized data containing personal identifying information of a New Mexico resident that the person does not own or license shall notify the owner or licensee of the information of any security breach in the most expedient time possible following discovery of the breach;
- The provisions of the Act shall not apply to a person subject to the federal Gramm-Leach-Bliley Act or the federal Health Insurance Portability and Accountability Act of 1996;
- The notification required by the Act may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation, or as necessary to determine the scope of the security breach and restore the integrity, security and confidentiality of the data system;
- A person that is required to issue notification of a security breach pursuant to Act to more than one thousand New Mexico residents as a result of a single security breach shall notify the office of the attorney general and major consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, of the security breach in the most expedient time possible, and no later than thirty calendar days; and
- A person that is required to issue notification of a security breach pursuant to the Act as a result of a security breach involving a credit card number or debit card number shall notify each merchant services provider to which the person transmitted the credit card number or debit card number. Notification pursuant to this section shall be made within ten business days following discovery of the security breach.
The Act also allows for Attorney General enforcement and civil penalties for non-compliance. In particular, when the Attorney General has a reasonable belief that a violation of Act has occurred, the Attorney General may bring an action on the behalf of individuals and in the name of the state seeking an injunction and/or an award damages for actual costs or losses, including consequential financial losses. As far as costs, if the court determines that a person violated the Act knowingly or recklessly, the court may impose a civil penalty of the greater of twenty-five thousand dollars ($25,000) or, in the case of failed notification, ten dollars ($10.00) per instance of failed notification up to a maximum of one hundred fifty thousand dollars ($150,000).
Organizations that maintain the personal identifying information of New Mexico residents should be sure to track the Act’s progress through the state Senate, and of course, if enacted into law, comply with its provisions.