New Mexico may be joining the 46 other states in the nation that have a state data breach notification law dictating when and how entities that suffer data breaches must report the incident. State representative William R. Rehm introduced the Data Breach Notification Act (HB 224) on January 29, 2014 and the House recently passed the bill in February.

The bill would require companies to “implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal identifying information from unauthorized access, destruction, use, modification or disclosure”. When personal identifying information is to be disposed, the bill mandates that the disposal procedure “make the personal identifying information unreadable or undecipherable”via “shredding, erasing, or otherwise modifying” the information.

In addition to the data security requirements imposed upon the entity which maintains personal identifying information, the bill requires any entity that discloses personal identifying information “pursuant to a contract” require the third party recipient to comport with the same standard of data security set by this bill.

The Data Breach Notification Act establishes strict requirements regarding notification to consumers of a data breach. The bill implements a ten-day deadline for a breached entity to notify the victims of the data breach unless a law enforcement agency determines the notification “will impede a criminal investigation; or the notification will impede efforts to determine the scope of the security breach and restore the integrity, security and confidentiality of the data system”.

The bill requires the data breach notification contain:

  • The name and contact information of the entity
  • A list of the types of personal identifying information that was breached
  • Date of the security breach
  • A general description of the data breach
  • A statement clarifying whether the notification was delayed for any reason
  • Toll free telephone numbers and addresses of the three credit reporting agencies
  • Advice directing the victim to review personal account statements and credit reports
  • Advice explaining the victim’s rights under the Fair Credit Reporting and Identity Security Act

Should a notification of a data breach be required for more than 50 New Mexico residents, the entity would also have to provide notification to the New Mexico Attorney General and all consumer reporting agencies within ten days. Section 10 of the bill has an interesting requirement that when an entity is breached and the compromised data included credit card numbers or debit card numbers, the entity would have to provide notice to the merchant service providers to which the payment card data was transmitted. We will keep a close eye on the progress of this bill as it moves to the Senate for review.

“Data Breach Notification Bill Introduced in New Mexico” was written by Sam Imandoust, Esq., CIPP, CIPA. He serves as a legal analyst for the Identity Theft Resource Center. We welcome you to post/reprint the above article, as written, giving credit to the author and linking back to the original posting.