New Mexico recently became the 48th state in the US to adopt data breach notification laws. The new laws take effect June 16, 2017 and will apply in all situations in which a data breach occurs, i.e., an unauthorized attempt to access unencrypted or encrypted computerized data. In addition to providing governance on how personal identifying information owned or licensed by businesses and other entities must be stored and disposed of, the New Mexico Data Breach Notification Act also provides details of how affected individuals must be notified about any data breach affecting their personal identifying information.

What is Personal Identifying Information Under New Mexico’s New Bill?

The Data Breach Notification Act recognizes personal identifying information as:

• Social Security numbers.
• Driver’s license numbers.
• Government issued identification numbers.
• Account numbers.
• Credit card numbers or debit card numbers in conjunction with any associated codes, such as a personal identification number (PIN) or security code.
• Biometric data, such as fingerprints, voiceprint, iris or retina scan, facial characteristics or hand geometry.

Notification Under the Data Breach Notification Act

Whenever a data breach occurs involving the exposure of the personal identifying information of a New Mexico resident, and there is a reasonable risk of identity theft of fraud as a result of the breach, the resident will be notified as soon as possible upon the discovery of the data breach, but no later than 45 calendar days after the discovery of the data breach. Notification must be made either by US postal mail, email, or another form of substitute notification (substitute notification can be made under special circumstances only).

The notification is required to contain certain information about the data breach in accordance with the Data Breach Notification Act. Specifically, notifications must include information concerning:

• The name and contact information for the notifying individual.
• What types of personal identifying information was impermissibly accessed in the breach (if known).
• The date or date range of the breach (if known).
• A description of the data breach incident.
• Contact information for the major credit reporting agencies and advice about contacting these agencies.
• The recipient’s rights the federal Fair Credit Reporting Act.

When more than one thousand New Mexico residents are affected by a data breach, there is also an obligation to report the incident to the New Mexico Attorney General and the major consumer reporting agencies.

Notification can be Delayed in Limited Circumstances

The only justifiable reasons why notification could be delayed are:

• That there is a pending criminal investigation that could be impeded by timely notification, and
• Situations in which notification would interfere with efforts to determine the scope of the breach or to restore the integrity, security and confidentiality of the data system.

Consult With a Data Breach Lawyer

There is no time to lose once a data security breach has been identified. A majority of states and the European Union have data breach notification laws that set forth specific timeframes in which notifications need to be made. There are costly consequences for those entities who do not take notification of data breach situations seriously.

Contact us using the form on this page or call us at 855-473-8474.

Image credit to ruimc77.

How the New Mexico Data Breach Notification Act Compares to Other State Laws

When New Mexico enacted HB 15, the Data Breach Notification Act, effective June 16, 2017, it became the 48th state to adopt data breach notification requirements. The law brought New Mexico in line with the national standard, though the specific requirements differ from state to state in ways that matter significantly to businesses operating across multiple jurisdictions.

Comparing Notification Timelines Across Key States

The 45-day notification window in New Mexico’s law is relatively short compared to some states but longer than others. Consider how it stacks up against key state laws:

• California (Cal. Civ. Code § 1798.82): Notification must be made “in the most expedient time possible and without unreasonable delay.” No specific deadline, but the Attorney General has interpreted this to mean no longer than 30–45 days in most circumstances.
• Florida (Fla. Stat. § 501.171): 30 days from discovery for notifications affecting 500 or more individuals. One of the strictest timelines in the country.
• New York (NY SHIELD Act): Notification must be made “in the most expedient time possible and without unreasonable delay.” Applies to any business that owns or licenses New York resident data, regardless of where the business is located.
• HIPAA (45 C.F.R. § 164.404): 60 days from discovery for healthcare entities, which is more lenient than New Mexico’s 45-day window.

For businesses with customers in multiple states, the most restrictive applicable state law effectively governs timing. A breach affecting customers in Florida, New Mexico, and California simultaneously requires the business to comply with Florida’s 30-day window for the Florida residents, creating a cascading compliance challenge.

Security Requirements Under the New Mexico Act

Beyond notification, the New Mexico Data Breach Notification Act imposes affirmative security obligations on businesses that own or license personal identifying information of New Mexico residents. Covered businesses must implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect it from unauthorized access, destruction, use, modification, or disclosure.

The Act also requires covered businesses to take reasonable steps to destroy or arrange for the destruction of personal identifying information they no longer need to retain. This provision reflects the principle that you cannot breach data you no longer have—minimizing data retention reduces your liability exposure in the event of a future breach.

The Attorney General Enforcement Mechanism

New Mexico’s Attorney General has enforcement authority under the Act. When more than 1,000 residents are affected, businesses must notify the Attorney General in addition to providing individual notifications. The AG can seek civil penalties for violations. This creates a two-track exposure: direct regulatory enforcement by the state in addition to private claims from affected individuals.

What “Encrypted Data” Means for Notification Obligations

The New Mexico Act—like most state breach notification laws—applies to unauthorized access to both unencrypted and encrypted data, but only triggers notification when there is a reasonable risk of identity theft or fraud. For encrypted data, a covered business can often argue that no reasonable risk of harm exists if the encryption keys were not also compromised. This is a nuanced determination that requires legal and technical analysis in the immediate aftermath of a breach.

Businesses that implement strong encryption for data at rest and in transit using current standards—such as AES-256 for stored data—reduce both their security risk and their legal exposure in the event of a breach. Encryption is not a complete defense, but it is a significant one.

Building a Breach Response Plan Before You Need One

The most expensive data breach is the one you were not prepared for. A well-designed breach response plan addresses: incident detection and containment procedures, legal counsel engagement protocols, regulatory notification timelines by jurisdiction, consumer notification templates, credit monitoring vendor relationships, and public relations messaging guidelines. Companies that have a tested breach response plan typically resolve incidents faster, with lower total cost, and with less regulatory scrutiny than those that improvise under pressure.

Contact the data breach attorneys at Revision Legal to help build your breach response plan and ensure compliance with applicable state notification laws. Reach out today.