We are anxiously waiting to learn the fate of the data breach notification statute recently passed by state lawmakers in New Mexico. The bill remains on the desk of the governor who has until the end of the week to sign the legislation into law. If she does, New Mexico will join 47 other states (along with the District of Columbia, Puerto Rico, and the Virgin Islands) to impose at least some obligations on persons or entities holding personal information in the wake of a security incident. We may need to update the Mintz Matrix soon.
Many of the particulars of New Mexico’s House Bill 15 – called the Data Breach Notification Act (the “Act”) – are similar to existing statutes in other states. But there are a few differences, and as always, the more granular details are where we find the obligations which are most important to businesses trying to navigate a breach scenario. Let’s take a closer look at some of the specifics:
- Definition of Security Breach. Security Breach is defined in part as the “unauthorized acquisition of unencrypted computerized data,” which is narrower than in many states where incidents involving unauthorized access to (but not acquisition of) personal information will also trigger obligations under the Act.
- Scope of Personal Information. The Act’s definition of Personal Information picks up biometric data (such as a person’s fingerprint, voice print, retina or iris patterns, or facial characteristics) in addition to the data elements which have become standard in breach notification statutes across the country, i.e. social security number, driver’s license or government issued ID number, and account number, credit card number or debit card number combined with any security code, access code or password needed to access the account. To trigger the Act’s requirements, compromised data elements must be combined with an individual’s first name or first initial and last name and must not be protected by encryption or redaction or otherwise rendered unreadable or usable. Bucking recent trends, New Mexico chose not to include usernames or email addresses in combination with passwords or security questions and answers as part of its definition.
- Notification Obligations. After experiencing a security breach, a person or entity that owns or maintains computerized data containing personal information (a “Covered Entity”) must notify affected residents in New Mexico within 45 calendar days following discovery of the security breach unless delay is permitted due to a criminal or internal investigation. If more than 1,000 residents are affected, the Covered Entity must also notify the state’s Attorney General as well as major consumer reporting agencies within 45 calendar days. Third parties that maintain or possess computerized data belonging to someone else must notify this person or entity about a breach within 45 calendar days.
- Content of Notifications. When providing notice to affected residents, a Covered Entity must provide certain information in its written notice. Such requirements appear in many state statutes but most businesses continue to look to the guidelines imposed by California when drafting a notice letter since that state’s laws are the most prescriptive with respect to content requirements.
- No Likelihood of Harm. Notification to New Mexico residents is not required if, after an appropriate investigation, a Covered Entity determines that the security breach does not give rise to a significant risk of identity theft or fraud. Third parties are also off the hook for their notification obligations if they make such a determination.
- Exceptions for Regulated Entities. Like in many states, a Covered Entity that is otherwise subject to the federal Gramm-Leach-Bliley Act (GLBA) or Health Insurance Portability and Accountability Act of 1996 (HIPAA) do not have to comply with the requirements of the Act.
- Security and Records Retention. Like in Massachusetts and a few other states, New Mexico’s law goes beyond mere breach notification obligations and also requires Covered Entities to implement and maintain reasonable security measures to protect personal information and to arrange for proper disposal of records containing personal information when they are no longer reasonably needed for a business purposes.
- Enforcement. The Act does not provide for a private consumer right of action but does empower the Attorney General to ask a court for an injunction or an award of damages for violations. A Covered Entity could be subject to a civil penalty of the greater of $25,000 or $10 per instance of failed notification up to a maximum of $150,000.
The Act was passed unanimously by both the House and Senate in New Mexico and commentators expect the governor to sign the bill. In the absence of a federal effort to pass national security breach legislation — #MLWashingtonCyberwatch — we anticipate significant regulatory activity at the state level, and this long-awaited movement from New Mexico could be an early signal that states will be taking the lead on consumer protection and privacy. We will keep an eye on this bill and provide an update once the governor has issued a press release.