New Mexico Enacts New Data Breach Notification Laws featured image

New Mexico Enacts New Data Breach Notification Laws

by John DiGiacomo

Partner

Data Breach

New Mexico recently became the 48th state in the US to adopt data breach notification laws. The new laws take effect June 16, 2017 and will apply in all situations in which a data breach occurs, i.e., an unauthorized attempt to access unencrypted or encrypted computerized data. In addition to providing governance on how personal identifying information owned or licensed by businesses and other entities must be stored and disposed of, the New Mexico Data Breach Notification Act also provides details of how affected individuals must be notified about any data breach affecting their personal identifying information.

What is Personal Identifying Information Under New Mexico’s New Bill?

The Data Breach Notification Act recognizes personal identifying information as:

  • Social Security numbers.
  • Driver’s license numbers.
  • Government issued identification numbers.
  • Account numbers.
  • Credit card numbers or debit card numbers in conjunction with any associated codes, such as a personal identification number (PIN) or security code.
  • Biometric data, such as fingerprints, voiceprint, iris or retina scan, facial characteristics or hand geometry.

Notification Under the Data Breach Notification Act

Whenever a data breach occurs involving the exposure of the personal identifying information of a New Mexico resident, and there is a reasonable risk of identity theft of fraud as a result of the breach, the resident will be notified as soon as possible upon the discovery of the data breach, but no later than 45 calendar days after the discovery of the data breach. Notification must be made either by US postal mail, email, or another form of substitute notification (substitute notification can be made under special circumstances only).

The notification is required to contain certain information about the data breach in accordance with the Data Breach Notification Act. Specifically, notifications must include information concerning:

  • The name and contact information for the notifying individual.
  • What types of personal identifying information was impermissibly accessed in the breach (if known).
  • The date or date range of the breach (if known).
  • A description of the data breach incident.
  • Contact information for the major credit reporting agencies and advice about contacting these agencies.
  • The recipient’s rights the federal Fair Credit Reporting Act.

When more than one thousand New Mexico residents are affected by a data breach, there is also an obligation to report the incident to the New Mexico Attorney General and the major consumer reporting agencies.

Notification can be Delayed in Limited Circumstances

The only justifiable reasons why notification could be delayed are:

  • That there is a pending criminal investigation that could be impeded by timely notification, and
  • Situations in which notification would interfere with efforts to determine the scope of the breach or to restore the integrity, security and confidentiality of the data system.

Consult With a Data Breach Lawyer

There is no time to lose once a data security breach has been identified. A majority of states and the European Union have data breach notification laws that set forth specific timeframes in which notifications need to be made. There are costly consequences for those entities who do not take notification of data breach situations seriously.

Contact us using the form on this page or call us at 855-473-8474.

Image credit to ruimc77.

Extra, Extra!
Recent Posts

Can I Trademark a Non-English Word or Phrase in the U.S.?

Can I Trademark a Non-English Word or Phrase in the U.S.?

Trademark

Yes, as long as the proposed trademark meets the other requirements for registration. U.S. trademark laws do not require that only the English language can be used for trademarks. However, whatever the language, trademarks must meet the legal requirements, including functionality, distinctiveness, uniqueness, etc. For example, every trademark must function as a trademark in that […]

Read more about Can I Trademark a Non-English Word or Phrase in the U.S.?

California’s Age-Appropriate Design Code Act Declared Wholly Unconstitutional

California’s Age-Appropriate Design Code Act Declared Wholly Unconstitutional

Internet Law

In a new ruling, a California federal judge has declared the entirety of California’s Age-Appropriate Design Code Act (“CAADCA”) to be unconstitutional. Cal. Civ. Code §§ 1798.99.28 et seq. See media report here and the Opinion here. The case is Netchoice, LLC. v. Bonta, Case No. 22-cv-08861-BLF (US N.Dist. Cal, March 13, 2025). The CAADCA […]

Read more about California’s Age-Appropriate Design Code Act Declared Wholly Unconstitutional

Put Revision Legal on your side