New Mexico recently became the 48th state in the US to adopt data breach notification laws. The new laws take effect June 16, 2017 and will apply in all situations in which a data breach occurs, i.e., an unauthorized attempt to access unencrypted or encrypted computerized data. In addition to providing governance on how personal identifying information owned or licensed by businesses and other entities must be stored and disposed of, the New Mexico Data Breach Notification Act also provides details of how affected individuals must be notified about any data breach affecting their personal identifying information.

What is Personal Identifying Information Under New Mexico’s New Bill?

The Data Breach Notification Act recognizes personal identifying information as:

• Social Security numbers.
• Driver’s license numbers.
• Government issued identification numbers.
• Account numbers.
• Credit card numbers or debit card numbers in conjunction with any associated codes, such as a personal identification number (PIN) or security code.
• Biometric data, such as fingerprints, voiceprint, iris or retina scan, facial characteristics or hand geometry.

Notification Under the Data Breach Notification Act

Whenever a data breach occurs involving the exposure of the personal identifying information of a New Mexico resident, and there is a reasonable risk of identity theft of fraud as a result of the breach, the resident will be notified as soon as possible upon the discovery of the data breach, but no later than 45 calendar days after the discovery of the data breach. Notification must be made either by US postal mail, email, or another form of substitute notification (substitute notification can be made under special circumstances only).

The notification is required to contain certain information about the data breach in accordance with the Data Breach Notification Act. Specifically, notifications must include information concerning:

• The name and contact information for the notifying individual.
• What types of personal identifying information was impermissibly accessed in the breach (if known).
• The date or date range of the breach (if known).
• A description of the data breach incident.
• Contact information for the major credit reporting agencies and advice about contacting these agencies.
• The recipient’s rights the federal Fair Credit Reporting Act.

When more than one thousand New Mexico residents are affected by a data breach, there is also an obligation to report the incident to the New Mexico Attorney General and the major consumer reporting agencies.

Notification can be Delayed in Limited Circumstances

The only justifiable reasons why notification could be delayed are:

• That there is a pending criminal investigation that could be impeded by timely notification, and
• Situations in which notification would interfere with efforts to determine the scope of the breach or to restore the integrity, security and confidentiality of the data system.

Consult With a Data Breach Lawyer

There is no time to lose once a data security breach has been identified. A majority of states and the European Union have data breach notification laws that set forth specific timeframes in which notifications need to be made. There are costly consequences for those entities who do not take notification of data breach situations seriously.

Contact us using the form on this page or call us at 855-473-8474.

Image credit to ruimc77.