New Mexico Enacts New Data Breach Notification Laws featured image

New Mexico Enacts New Data Breach Notification Laws

by John DiGiacomo

Partner

Data Breach

New Mexico recently became the 48th state in the US to adopt data breach notification laws. The new laws take effect June 16, 2017 and will apply in all situations in which a data breach occurs, i.e., an unauthorized attempt to access unencrypted or encrypted computerized data. In addition to providing governance on how personal identifying information owned or licensed by businesses and other entities must be stored and disposed of, the New Mexico Data Breach Notification Act also provides details of how affected individuals must be notified about any data breach affecting their personal identifying information.

What is Personal Identifying Information Under New Mexico’s New Bill?

The Data Breach Notification Act recognizes personal identifying information as:

  • Social Security numbers.
  • Driver’s license numbers.
  • Government issued identification numbers.
  • Account numbers.
  • Credit card numbers or debit card numbers in conjunction with any associated codes, such as a personal identification number (PIN) or security code.
  • Biometric data, such as fingerprints, voiceprint, iris or retina scan, facial characteristics or hand geometry.

Notification Under the Data Breach Notification Act

Whenever a data breach occurs involving the exposure of the personal identifying information of a New Mexico resident, and there is a reasonable risk of identity theft of fraud as a result of the breach, the resident will be notified as soon as possible upon the discovery of the data breach, but no later than 45 calendar days after the discovery of the data breach. Notification must be made either by US postal mail, email, or another form of substitute notification (substitute notification can be made under special circumstances only).

The notification is required to contain certain information about the data breach in accordance with the Data Breach Notification Act. Specifically, notifications must include information concerning:

  • The name and contact information for the notifying individual.
  • What types of personal identifying information was impermissibly accessed in the breach (if known).
  • The date or date range of the breach (if known).
  • A description of the data breach incident.
  • Contact information for the major credit reporting agencies and advice about contacting these agencies.
  • The recipient’s rights the federal Fair Credit Reporting Act.

When more than one thousand New Mexico residents are affected by a data breach, there is also an obligation to report the incident to the New Mexico Attorney General and the major consumer reporting agencies.

Notification can be Delayed in Limited Circumstances

The only justifiable reasons why notification could be delayed are:

  • That there is a pending criminal investigation that could be impeded by timely notification, and
  • Situations in which notification would interfere with efforts to determine the scope of the breach or to restore the integrity, security and confidentiality of the data system.

Consult With a Data Breach Lawyer

There is no time to lose once a data security breach has been identified. A majority of states and the European Union have data breach notification laws that set forth specific timeframes in which notifications need to be made. There are costly consequences for those entities who do not take notification of data breach situations seriously.

Contact us using the form on this page or call us at 855-473-8474.

Image credit to ruimc77.

Extra, Extra!
Recent Posts

2025 Changes to Trademark Fees

2025 Changes to Trademark Fees

Trademark

There are some significant changes coming to the United States Patent and Trademark Office (USPTO) that will affect trademark filings beginning January 18, 2025. These changes include the introduction of the Trademark Center, new fees, and revised application requirements. Here is an overview of the key changes: The USPTO will retire the TEAS system, which […]

Read more about 2025 Changes to Trademark Fees

Automated Decision-Making Technology: California Releases Proposed Regulations

Automated Decision-Making Technology: California Releases Proposed Regulations

Internet Law

In today’s competitive e-commerce landscape, automated decision-making technology is becoming more and more important. From personalized product recommendations to targeted advertising and streamlined logistics, these systems help ecommerce businesses adapt and grow. But new regulations are on the horizon, and these changes could reshape the way e-commerce businesses use automation. The California Privacy Protection Agency […]

Read more about Automated Decision-Making Technology: California Releases Proposed Regulations

FTC Adopts Final “Click to Cancel Rule”

FTC Adopts Final “Click to Cancel Rule”

Internet Law

The Federal Trade Commission (FTC) has issued final amendments to its trade regulation rule concerning negative option plans, also known as the “click to cancel rule.” This rule aims to address widespread deceptive practices that prohibit customers from cancelling services in the same manner in which they signed up. Here’s a detailed summary of the […]

Read more about FTC Adopts Final “Click to Cancel Rule”

Put Revision Legal on your side