Governor Susana Martinez recently signed into law the New Mexico “Data Breach Notification Act” (the Act), making New Mexico the 48th state (plus Puerto Rico and the District of Columbia) to adopt legislation mandating the provision of notice in the event of a data breach.

The Act – which takes effect June 16, 2017 – requires persons that own or license personal identifying information of New Mexico residents to notify each resident whose personal identifying information is reasonably believed to have been subject to a security breach. The Act also implements security standards for the use, storage and disposal of personal identifying information by such persons. The Act includes the following important definitions:

  • “security breach” means “the unauthorized acquisition of unencrypted computerized data, or of encrypted computerized data and the confidential process or key used to decrypt the encrypted computerized data, that compromises the security, confidentiality or integrity of personal identifying information maintained by a person.”
  • “personal identifying information” refers to “an individual’s first name or first initial and last name in combination with one or more of the following data elements that relate to the individual, when the data elements are not protected through encryption or redaction or otherwise rendered unreadable or unusable:
    • social security number;
    • driver’s license number;
    • government-issued identification number;
    • account number, credit card number or debit card number in combination with any required security code, access code or password that would permit access to a person’s financial account; or
    • biometric data.”
      • This definition does not include any publicly available information.

The Act requires notice to be provided “in the most expedient time possible” and no later than 45 days following discovery of the security breach (except as necessary (i) for law enforcement purposes, or (ii) “to determine the scope of the security breach and restore the integrity, security and confidentiality of the data system”). This second exception to the Act’s notice deadline is interesting, as it appears to establish a subjective standard upon which entities could rely in the event notice is not furnished within 45 days. Moreover, notice is not required where it is determined that the security breach does not give rise to a significant risk of identity theft or fraud (and the Act does not define “significant risk”).

Importantly, a person required to provide notice of a security breach to more than 1000 New Mexico residents is also required to notify the New Mexico Attorney General and major consumer reporting agencies. The Act permits the Attorney General to bring a civil action on behalf of affected individuals and the State of New Mexico for violations of the Act, and provides for civil penalties of up to $150,000 in total for knowing or reckless violations.