Search results for: new mexico

Another day, another governmental entity hit with a ransomware attack. If you are a resident of Bernalillo County, New Mexico, and you need a marriage license, want to conduct a real estate transaction or register to vote, you might be told there is “no access to systems and no legal filings are possible” due to a cybersecurity “issue.” But you CAN still pay your taxes, as no extension is being given, despite the cyber event.

According to the Albuquerque Journal, the County announced on January 5, 2021, that it was a victim of a cyberattack that affected “a wide variety of county government operations. Most county buildings were closed until further notice.”

Not only was the clerk’s office closed for certain business transactions, but the County also filed an emergency notice in federal court that it was unable to comply with terms of a settlement involving conditions at the County jail because the ransomware attack knocked out access to the jail’s security cameras. As a result, all inmates were limited in how much time they could spend outside their cells, and their access to telephones and tablets was reduced. According to the article, the facility has been “on ‘lockdown’ since Wednesday.”

Court systems were disrupted as well, and personnel scrambled to set up alternate plans to “allow criminal proceedings to continue in the face of this unforeseen event.”

Ransomware attacks against local governmental entities are frequent and very disruptive to residents of that state, county, or municipality. And it does not look like the pace of attacks against local governments will ease any time soon.

New Mexico’s Attorney General, Hector Balderas, continues to champion children’s online privacy protections, this time settling with Google over alleged violations of the Children’s Online Privacy Protection Act (COPPA).

We previously reported that the AG sued Rovio Entertainment, the maker of Angry Birds, alleging that it violated COPPA by collecting data on players under the age of 13 and disclosing that information to advertisers.

General Balderas is on a roll, having just announced a settlement of two lawsuits against Google for violations of COPPA. The lawsuits were filed in 2018 and alleged that Google (and other tech companies) collected personal information from children under the age of 13 when they downloaded free games from Google Play.

The settlement requires Google to pay $3.85 million to create the “Google New Mexico Kids Initiative,” which will promote privacy, education, and safety for children in New Mexico. According to AG Balderas, “There are incredible risks lurking online and we should do everything we can to protect the privacy of children. I’m pleased that we demanded Google put the safety of our school children first and that we’re able to partner with Google in our shared commitment to innovation and education, putting these funds where they can do the most good.”

For its part, in addition to creating the Kids Initiative, Google has agreed to provide school administrators with tools to assist students with protecting their personal information and to actively police app developers so they do not collect information from children under the age of 13 without parental consent.

The New Mexico AG is making a name for himself in the area of children’s privacy. We will keep following his progress and see if any other AGs follow his lead.

Governor Susana Martinez recently signed into law the New Mexico “Data Breach Notification Act” (the Act), making New Mexico the 48th state (plus Puerto Rico and the District of Columbia) to adopt legislation mandating the provision of notice in the event of a data breach.

The Act – which takes effect June 16, 2017 – requires persons that own or license personal identifying information of New Mexico residents to notify each resident whose personal identifying information is reasonably believed to have been subject to a security breach. The Act also implements security standards for the use, storage and disposal of personal identifying information by such persons. The Act includes the following important definitions: Continue Reading New Mexico Enacts Data Breach Notification Law

On August 15, 2025, a bipartisan coalition of 37 state Attorneys General, led by Georgia Attorney General Chris Carr and New Mexico Attorney General Raul Torrez, sent a letter to Instagram requesting that it make “immediate changes to its newly implemented location-sharing feature, which allows a user’s precise location to be displayed on a map.”

The letter “emphasizes the heightened dangers for vulnerable users, including children and survivors of domestic violence, noting that such tools can be exploited by predators, stalkers, and other malicious actors.”

The letter requests that Instagram:

  • Ensure that minors cannot enable location-sharing features;
  • Send a clear alert to all adult users explaining the feature, outlining its risks, and providing full disclosure on how Instagram will use the location data; and
  • Provide a simple, easy-to-access control to disable location sharing at any time for adults who choose to opt in.

The attorneys general of Alabama, Alaska, Arizona, Arkansas, Colorado, Connecticut, Florida, Hawaii, Idaho, Illinois, Iowa, Kansas, Kentucky, Louisiana, Maine, Michigan, Minnesota, Missouri, Montana, Nebraska, New Jersey, New York, Nevada, North Carolina, Oklahoma, Rhode Island, South Carolina, South Dakota, Texas, Tennessee, Utah, Virginia, Vermont, West Virginia, and Wyoming also joined the letter. 

The letter outlines that the new feature

[E]nables users to see and share detailed, real-time location data through Instagram’s map interface. This functionality, if not carefully controlled, poses clear risks of stalking, harassment, and other forms of exploitation. It also represents a troubling expansion of the personal data Instagram collects and makes accessible, which can be misused by malicious actors.

The letter also notes that the location-sharing feature poses a “particular risk for minors as they can be readily used by sexual predators to identify and geographically target children in the real world.”

Parents need to be aware of this new feature, discuss it with children, and decide whether to enable the feature’s functionality or location sharing at all. All users of Instagram should assess whether to enable location sharing.

How does one turn the Friend Map on and off?

  1. Open the Instagram app.
  2. Tap on the paper plane “Messenger” icon in the top right.
  3. Then, tap the “Map” at the top of your inbox.
  4. Hit “Settings” in the upper right.
  5. When it asks, “Who can see your location?”, choose “NO ONE.”

    Your location is now OFF, and other Instagram users cannot see where you’ve been.

    On April 8, the Montana legislature sent its new social media law to the Governor for signature and on March 23, Virginia passed legislation prohibiting an employer from requiring, requesting, or causing a current or prospective employee to disclose his or her username and password of social media accounts or requiring an employee to obtain the username and password or other access to a current or prospective employee’s social media account. These two states have joined 17 others that contain similar prohibitions.

    Connecticut and West Virginia failed to pass similar social media legislation earlier this month, and Mississippi and Wyoming rejected their proposed legislation in February.

    Last year, approximately 28 states considered social media legislation that in general, prohibited employers access to social media accounts, but only 7 states were successful in enacting laws on the subject matter, including Louisiana, Maine (which authorized a study into the issue), New Hampshire, Oklahoma, Rhode Island, Tennessee, and Wisconsin. This brought the total number of states who have enacted such legislation to 17, as 10 states (Arkansas, Colorado, Illinois, Nevada, New Jersey, New Mexico, Oregon, Utah, Vermont (authorizing a study), and Washington) enacted social media legislation in 2013.

     

    Employers doing business in these 19 states may wish to review the statutory prohibitions with counsel, and employers in the other states—keep watching social media legislation as your state is probably not far behind. Whether your state prohibits access to social media accounts of your employees or prospective employees through statute or not, this is an area that warrants caution.

    On December 17, 2025, a bipartisan group of 23 Attorneys General from the states of Arizona, California, Colorado, Connecticut, Delaware, Hawai’i, Illinois, Maine, Maryland, Massachusetts, Minnesota, Nevada, New Jersey, New Mexico, North Carolina, Oregon, Rhode Island, Tennessee, Utah, Vermont, Washington, Wisconsin, and the  District of Columbia, sent a comment letter to the Federal Communications Commission (FCC) “opposing the preemption of state laws on artificial intelligence.” The letter was in response to the FCC’s notice of inquiry published in September that it would use its regulatory powers to preempt state AI laws.

    The letter argues that the FCC lacks authority to preempt state law, and that such would harm state interests. The letter comes on the heels of Executive Order 14365 (EO) signed by President Trump on December 11, 2025, that requires the Secretary of Commerce to “publish an evaluation of existing State AI laws that identifies onerous laws that conflict” with the administration’s policy “to sustain and enhance the United States’ global AI dominance through a minimally burdensome national policy framework for AI” within 90 days. The EO further requires the Secretary of Commerce to issue a Policy Notice that provides “that States with onerous AI laws… are ineligible for non-deployment funds to the maximum extent allowed by Federal law.”

    In opposing a proposed preemption of state AI laws, California Attorney General Rob Bonta said the individual states

    are on the front lines of consumer protecting, including when it comes to emerging technology….like any emerging technology, there are risks to adoption without responsible, appropriate, and thoughtful oversight. States have played a leading role in developing strong privacy and technology protections to address a wide range of harms associated with AI and automated decision-making. State authorities are often the first to receive consumer complaints and identify problematic practices and have the proximity and agility to identify emerging threats and implement innovative solutions.

    The bipartisan letter to the FCC follows another effort by a bipartisan coalition of 36 state attorneys general who sent a letter to Congress in November opposing a proposed provision in the National Defense Authorization Act that would preempt state AI laws. That provision was ultimately not included in the final law. Additionally, in May 2025, there was an effort by some in Congress to propose a 10-year ban on the ability of states to enact laws related to the use of AI which also failed.

    Ultimately, there will be a battle between the federal government and state legislatures over AI regulation. It is clear that the Trump administration seeks minimal regulation, despite the known risks, and state Attorneys General, charged with protection of consumers, feel very differently. I suspect we will see how it plays out in court.

    According to NextGov, it obtained a screenshot of an incident overview presentation that confirmed confirmed “a ‘widespread cybersecurity incident’ at the Federal Emergency Management Agency [that] allowed hackers to make off with employee data from both the disaster management office and U.S. Customs and Border Protection.”

    The incident reportedly started on June 22, 2025, when “hackers accessed Citrix virtual desktop infrastructure inside FEMA using compromised login credentials,” which appear to be associated with the CitrixBleed 2.0 vulnerability. Data was exfiltrated from Region 6 servers, which include Alabama, Louisiana, New Mexico, Oklahoma, Texas, and 70 tribal nations. Department of Homeland Security (DHS) staff was notified on July 7 and, on July 14, the threat actor, using stolen credentials, attempted to install virtual networking software to exfiltrate data.

    Remediation efforts were taken on July 16 and September 5. All FEMA employees were required to change their passwords. According to the presentation, DHS and FEMA confirmed on September 10 that employee data had been exfiltrated from the Region 6 servers through the Citrix vulnerability.

    As a former Assistant Attorney General, I have a soft place in my heart for Attorneys General as consumer protection advocates. Most state AGs have the primary jurisdiction to enforce compliance with consumer protection laws in their states. Some are more aggressive than others, such as New Mexico Attorney General Hector Balderas, who recently sued Rovio Entertainment, the maker of Angry Birds, alleging that Rovio violated the Children’s Online Privacy Protection Act (COPPA) by collecting data on players under the age of 13 and disclosing it to advertisers.

    According to Balderas’s allegations, Rovio monetizes children by collecting data while they are playing Angry Birds and uses the data for targeted advertising, also known as behavioral advertising.

    Although the case is in its infancy, it is a reminder to parents, grandparents, and caretakers of children under the age of 13 that there are laws in place that require consent of parents or guardians of minors under the age of 13 for the collection of their data during their online activity. If you are a caretaker for a child under the age of 13, whether you are a parent or otherwise, it is important to keep track of the consents given in the past, or when you give consent for the child to use an online platform, such as a game. The consents are there as protections for children’s information and the use and sale of it. Laws such as COPPA have been enacted by Congress for the protection of children, but if parents and other caretakers are not paying attention and availing themselves of the protection, they may unwittingly fail to protect the child’s data.

    Before giving consent for a child to use an online platform that collects, uses, or sells their data, read the online platform’s privacy policy to see what they are doing with the data. Do you agree with how they are sharing your child’s online activity data? Are they selling it?

    If you have already given consent and your child uses an online platform frequently, go back and read the privacy policy to see if it has changed or if you still agree with it (or read it for the first time). Talk to your child about online activity and how their information is being collected, used and sold. Educate your child about the consequences of online activity.

    Although AGs do their best to protect all of us as consumers, we can’t rely on them alone. We have to take responsibility to protect ourselves and our children from harm, including harm associated with online activity.

    As the use of unmanned aerial systems (UAS or as they are more commonly called, drones) continues to rapidly increase as technology continues to develop, more and more industries will utilize UAS in their day-to-day operations, including the oil and gas industry. Initially, UAS were mainly used in the oil and gas industry for conducting inspections, but now, UAS are becoming part of the fabric of the industry. UAS are now used for a variety of tasks from monitoring pipelines to providing assistance during oil spills. UAS are more efficient than previously used techniques and can also offer an element of safety by removing people from potentially dangerous missions.

    When the oil and gas industry conducts maritime missions in the water, UAS are used for surveying and inspections including structural surveys, pipeline inspections, bottom debris surveys and sub-sea facility inspections. Aerial missions in the oil and gas industry using UAS are also becoming more common. UAS are being used to conduct flyovers in oilfields of Alaska and monitor oil and gas production in New Mexico. UAS can even be used to detect oil and gas leaks which may lead to less catastrophic events involving the oil and gas industry, and save the environment from the hazardous effects of oil and gas spills.

    While UAS currently hold a valuable position in the oil and gas industry, it is likely that UAS will have an even bigger place going forward.

    The Office for Civil Rights (OCR) has announced that it has entered into a settlement with St. Joseph Health, which operates hospitals and nursing homes in California, Texas and New Mexico, for $2.14 million for alleged HIPAA violations.

    St. Joseph Health notified the OCR on February 14, 2012, of a data breach involving the protected health information of 31,800 patients when one of its servers included a file sharing application that used default settings and allowed access to the information through the internet in 2011 and 2012. According to the press release, the information was available through internet search engines during that time frame.

    The files were pdf files that included the names, health status, diagnosis and demographic information of the patients.

    The OCR noted that although St. Joseph Health hired contractors to assess risks and vulnerabilities of ePHI on its system, those assessments “did not result in an enterprise risk analysis.” According to the OCR, the security risk assessment was conducted in a “patchwork fashion and did not result in an enterprise-wide risk analysis.” Unfortunately, there is no further information on what the OCR means by this statement or what type of security risk assessment it deems sufficient.

    In addition to the fine, St. Joseph also entered into a Corrective Action Plan with the OCR.