The New Mexico Legislature passed the ‘Data Breach Notification Act’ (the Act) on March 15. Governor Susana Martinez has 20 days from the date the Act was passed to sign it into law. If enacted, the Act would require a person, other than a person who is subject to the Health Insurance Portability and Accountability Act of 1996 or the Gramm-Leach-Bliley Act, that “owns or maintains” records containing a New Mexico resident’s personal identifying information (PII) to notify the resident if his or her PII is “reasonably believed” to have been subject to a security breach. In most cases, notification is required within 45 days.
Under the Act, PII is defined as an individual’s last name and first name or first initial in combination with one or more specified data elements, when the data elements are not rendered unreadable or unusable through encryption, redaction, or another means. The five specified data elements or categories of data elements in the Act are (i) social security number; (ii) driver’s license number; (iii) government-issued identification number; (iv) biometric data, such as fingerprint, voice print, or retina image; and (v) account number, such as credit card or bank account number when combined with an access code that would permit access to the account.
“Security breach” is defined as the unauthorized acquisition of computerized data that compromises the security or integrity of PII. This definition is significant as it means that as written the Act does not require notification of a security breach of PII contained on paper records. Notification would not be required under the Act when a breach results in the unauthorized access of PII, but not the unauthorized acquisition of PII. Notification is not required if an “appropriate investigation” reveals that the security breach does not give rise to a significant risk of identity theft or fraud.
The time frame for individual notice under the Act is “in the most expedient time possible,” but no later than 45 calendar days following the discovery of the security breach. Additional notice must be sent to the Office of the Attorney General and major consumer credit agencies if the PII of 1,000 or more New Mexico residents was involved in a single breach. If providing individual notice would cost $100,000 or more, a person can provide “substitute” notice, which includes sending written notice of the security breach to major media outlets in New Mexico. A breach notice must contain seven elements, including the phone numbers of major consumer credit agencies, advice that directs the recipient to review their account statements and credit history for errors resulting from the security breach, and advice that informs the recipient of their rights under New Mexico’s Fair Credit Reporting and Identity Security Act.
The Act also implements flexible security standards for the storage, use, and disposal of PII. A person who owns or licenses PII must implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect PII. A person who owns or licenses PII must arrange for its “proper disposal,” which is defined as shredding, erasing, or otherwise making the PII unreadable, when the PII is “no longer reasonably needed for business purposes.” A person who discloses PII to a subcontractor must require the subcontractor to implement similar safeguards in its contract.
The Act enables the attorney general to bring an action on behalf of affected individuals based on a reasonable belief that a violation of the Act has occurred. The court can issue an injunction and award damages for actual and consequential losses. If the court determines that a person violated the Act knowingly or recklessly, it may additionally impose a civil penalty of the greater of $25,000 or $10 per failed notification, up to $150,000.
If the Act becomes law, New Mexico will become the 48th state to pass a breach notification law.
Comments
Post a Comment