New Mexico recently became the 48th state to enact a data breach notification law. On April 6, 2017, Governor Susana Martinez signed H.B. 15, New Mexico’s “Data Breach Notification Act” (the Act), into law. Currently, Alabama and South Dakota are the only states without a data breach notification law. The effective date of New Mexico’s Data Breach Notification Act is June 16, 2017.
New Mexico’s Data Breach Notification Act is similar to laws on this subject in other states. The Act requires a person that owns or licenses “personal identifying information” of a New Mexico resident to notify each New Mexico resident whose personal identifying information is reasonably believed to have been subject to a security breach. An owner or licensor of personal information includes, for example, a business that collects personal information from its customers. A security breach has occurred when there is unauthorized acquisition of unencrypted computerized or encrypted data along with the key to encrypt the data. The inclusion of this encryption language is present in many state data breach notification laws, and is one of the many reasons that businesses should encrypt their data. Even if a security breach has occurred, the Act does not require notice if it is determined that the breach does not give rise to a significant risk of identity theft or fraud.
The Act’s definition of “personal identifying information” is similar to the definition used by other states, but it is notable because it includes biometric data. States have begun updating their data breach notification statutes to include biometric data as this type of data is more commonly used by consumers. New Mexico’s statute defines biometric data as a record generated by automatic measurements of an identified individual’s fingerprints, voice print, iris or retina patterns, facial characteristics or hand geometry that is used to uniquely and durably authenticate an individual’s identity when the individual accesses a physical location, device, system or account.
There are two additional provisions of the Act that are important. The Act requires data owners and licensors to shred, erase or otherwise make unreadable personal identifying information contained in records when it is no longer reasonably needed for business purposes. Even when not required by statute, businesses should take steps to responsibly dispose of data. Careless disposal of personal information is an easy way to allow unauthorized access to personal information. Additionally, the Act requires data owners and licensors to implement and maintain reasonable security procedures and practices designed to protect personal identifying information from unauthorized access, destruction, use, modification or disclosure. Contracts with third-party service providers must require that the service provider implement and maintain such security procedures and practices as well. Unfortunately, the Act does not define was constitutes “reasonable security procedures and practices.”
New Mexico’s Data Breach Notification Act is the latest addition to the data breach notification legislative framework; however, state legislatures are constantly proposing updates to their data breach notification laws. We will continue to monitor legislation in this area and provide updates in the future.
If you have any questions regarding state data breach notification laws, or need assistance creating an information security plan, please contact Tim Hayes at McKenna Storer.
“McKenna Storer gives excellent representation; available on short notice. I would recommend and use them again.”
“McKenna Storer has represented me in several malpractice cases and we have had positive verdicts. Rates for their services are reasonable and comparable. McKenna Storer did an excellent job.”
I’ve worked with McKenna Storer for over 20 years…They’re a first-class firm that has been around for a long time and they have years and years of experience not just in handling cases but in taking them to court.
Here to help with whatever your legal issues may be, schedule your no-obligation consultation or Simply Call us at. (815) 334-9694
Please do not send confidential information via email. The sending of information by you, and the receipt of it by McKenna Storer, is not intended to, and does not create a lawyer-client relationship.
We dedicate ourselves to serving the needs of our clients in a highly responsive and cost-effective fashion. We are a full-service firm with broad capabilities in litigation and transaction law. We offer the capabilities clients expect from a full-service law firm: a wealth of experience in major practice areas, skilled support personnel, and state of the art technology.