New Mexico Becomes Most Recent State to Enact Data Breach Notification Law
States across the US have been enacting legislation to protect their citizens in the event of a data breach since California first did it back in 2003. The most recent state, New Mexico, marks the 48th state to implement new laws that require speedy notification.
This new legislation starts off with a mandate for notifying potential victims immediately in the event that their information was compromised. Where other states have previously included wording to the effect of “as quickly as feasibly possible,” New Mexico also demands that companies notify as soon as they have reason to suspect that information was fraudulently accessed. However, they also go further in saying that this means no more than 45 calendar days.
Two other aspects of the regulations pertain to why someone needs to be notified in the first place. Therefore, there are exceptions in place if there was no risk to the victims, specifically if the compromised information doesn’t include any data that can be used to cause damage. What does that mean? Data that must be considered sensitive and result in a notification includes first names or initials and last names along with the Social Security number, a driver’s license number or government-issued identification number such as ones that appear on a state-issued ID card, an account number, a credit card or debit card number (if they also accessed a security code or password), and any biometric data like stored fingerprints.
But there’s much more to New Mexico’s bill than just letting the public know after something has happened. This bill also works to prevent data breaches as much as possible, outlining some of the steps that companies have to take in order to protect consumers’ information. As some businesses may find themselves scrambling to comply with the new measures, it’s a good time for companies of any size or industry to take a hard look at what information they gather and why they need it. Some businesses may learn that they don’t need as much data as they thought, and can curtail the need to encrypt it or be responsible for it if they simply stop requesting it in the first place.
Interestingly, this new law does not apply to HIPAA-covered agencies as they already have strict protocols through federal legislation. Now, with only two states still holding out on enacting data breach notification laws, the time may be right for federal mandates to protect consumer data.
If you think you may be a victim of identity theft, contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App.
Read next: Spring Cleaning for your Mobile Device