Almost all U.S states have laws about data security and what to do when there’s a data breach. New Mexico recently added such a law for its state. Here is what’s in the New Mexico law.
Who The Law Applies To. The law applies to anyone who conducts business in New Mexico and who owns or licenses elements that include personal identifying information of a New Mexico resident. It also applies to anyone who receives, stores, maintains, licenses, processes or is permitted access to personal identifying information for someone else.
The New Mexico law defines personal information as an individual’s first name or first initial and last name in combination with any of the following if not protected through encryption, redaction or rendering it otherwise unreadable:
- Social security number; or
- Driver’s license or government-issued identification number; or
- Account number, credit card number, or debit card number, in combination with any required security code, access code or password that would permit access to the account; or
- Biometric data.
What The Law Requires. The trigger is when the data owner or service provider becomes aware of an incident of unauthorized acquisition of unencrypted data that compromises the security, confidentiality or integrity of personal identifying information. The data owner or service provider must conduct a prompt investigation to determine if there has been a breach. If there has been a breach, notification of affected residents is required. If more than 1,000 New Mexico residents must be notified, the person providing notification must also notify the New Mexico Attorney General and major consumer credit reporting agencies.
What is a Breach. The term “breach” under this law means unauthorized acquisition of unencrypted data that compromises the security, confidentiality or integrity of personal identifying information. It can also be of encrypted personal information, if the encryption key or security credential was acquired by the unauthorized person.
When and How To Notify. If a breach is confirmed, the data owner or service provider must notify the individual “in the most expedient time possible” and no later than 45 days. Notice by regular mail is permitted. Notice by email is permitted if that is the primary method of communicating with the resident.
The notification must include, at a minimum, the following:
- The name and contact information of the notifying person;
- A list of the types of personal identifying information that are reasonably believed to have been the subject of the breach;
- The date of the breach, the estimated date of the breach or date range within which the breach occurred, if known;
- A general description of the breach incident;
- Toll-free phone numbers and addresses of the major credit reporting agencies;
- Advice that directs the recipient to review personal account statements and credit reports to detect errors resulting from the breach; and
- Advice that informs the recipient of the notification of the recipient’s rights pursuant to the federal Fair Credit Reporting Act.
Substitute notice may be permitted if more than 50,000 residents need to be notified, if the notice would exceed more than $100,000, or if there is not sufficient contact information for the residents that need to be notified. Substitute notice includes the following: (a) email; (b) posting of notice on company’s website; and (c) notification of major media outlets in New Mexico and of the New Mexico Attorney General.
What if Law Enforcement is Involved. The law provides that notification “may be delayed” if a law enforcement agency determines that notification will impede a criminal investigation, or as necessary to determine the scope of the breach and restore the integrity, security and confidentiality of the data system. Close cooperation to protect the interests of the business is well advised.
What are the Law’s Penalties. Only the New Mexico Attorney General has the power to enforce the law. There is no private right of action. Penalties for failing to comply are damages for actual costs or losses, including financial losses, and an injunction. If the court finds a knowing or reckless violation, the court may impose a penalty of $25,000. The court may also impose a penalty of $10 per instance of failed notification, up to a maximum of $150,000.
The law has been in effect since June 16, 2017. In the event of a breach, a business should act immediately to secure its system, send notifications, and protect itself and its customers. It also may be appropriate to have a data breach response plan in place to prepare, and to test such a plan before a breach arises.