New Mexico recently became the 48th state to enact a data breach notification law. On April 6, 2017, Governor Susana Martinez signed H.B. 15, New Mexico’s “Data Breach Notification Act” (the Act), into law. Currently, Alabama and South Dakota are the only states without a data breach notification law. The effective date of New Mexico’s Data Breach Notification Act is June 16, 2017.
New Mexico’s Data Breach Notification Act is similar to laws on this subject in other states. The Act requires a person that owns or licenses “personal identifying information” of a New Mexico resident to notify each New Mexico resident whose personal identifying information is reasonably believed to have been subject to a security breach. An owner or licensor of personal information includes, for example, a business that collects personal information from its customers. A security breach has occurred when there is unauthorized acquisition of unencrypted computerized or encrypted data along with the key to encrypt the data. The inclusion of this encryption language is present in many state data breach notification laws, and is one of the many reasons that businesses should encrypt their data. Even if a security breach has occurred, the Act does not require notice if it is determined that the breach does not give rise to a significant risk of identity theft or fraud.
The Act’s definition of “personal identifying information” is similar to the definition used by other states, but it is notable because it includes biometric data. States have begun updating their data breach notification statutes to include biometric data as this type of data is more commonly used by consumers. New Mexico’s statute defines biometric data as a record generated by automatic measurements of an identified individual’s fingerprints, voice print, iris or retina patterns, facial characteristics or hand geometry that is used to uniquely and durably authenticate an individual’s identity when the individual accesses a physical location, device, system or account.
There are two additional provisions of the Act that are important. The Act requires data owners and licensors to shred, erase or otherwise make unreadable personal identifying information contained in records when it is no longer reasonably needed for business purposes. Even when not required by statute, businesses should take steps to responsibly dispose of data. Careless disposal of personal information is an easy way to allow unauthorized access to personal information. Additionally, the Act requires data owners and licensors to implement and maintain reasonable security procedures and practices designed to protect personal identifying information from unauthorized access, destruction, use, modification or disclosure. Contracts with third-party service providers must require that the service provider implement and maintain such security procedures and practices as well. Unfortunately, the Act does not define was constitutes “reasonable security procedures and practices.”
New Mexico’s Data Breach Notification Act is the latest addition to the data breach notification legislative framework; however, state legislatures are constantly proposing updates to their data breach notification laws. We will continue to monitor legislation in this area and provide updates in the future.