Law Effective June 16, 2017

New Mexico has passed the "Data Breach Notification Act." Highlights of the law are presented below.

Personal Identifying Information
Under the law, "personal identifying information" means an individual's first name or first initial and last name in combination with one or more of the following data elements that relate to the individual, when the data elements are not protected through encryption or redaction or otherwise rendered unreadable or unusable:

• Social security number;
• Driver's license number;
• Government-issued identification number;
• Account number, credit card number, or debit card number in combination with any required security code, access code, or password that would permit access to a person's financial account; or
• Biometric data.

Note: "Personal identifying information" does not mean information that is lawfully obtained from publicly available sources or from federal, state, or local government records lawfully made available to the general public.

Disposal and Security Measures for Storage
A person that owns or licenses records containing personal identifying information of a New Mexico resident must arrange for proper disposal of the records when they are no longer reasonably needed for business purposes. "Proper disposal" means shredding, erasing, or otherwise modifying the personal identifying information contained in the records to make the personal identifying information unreadable or undecipherable.

Additionally, a person that owns or licenses personal identifying information of a New Mexico resident must implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal identifying information from unauthorized access, destruction, use, modification, or disclosure.

Notification of Security Breach
A person that owns or licenses elements that include personal identifying information of a New Mexico resident generally must provide notification to each New Mexico resident whose personal identifying information is reasonably believed to have been subject to a security breach. Notification must be made in the most expedient time possible, but generally not later than 45 calendar days following discovery of the security breach.

Note: Notification to affected New Mexico residents is not required if, after an appropriate investigation, the person determines that the security breach does not give rise to a significant risk of identity theft or fraud.

Additional details and requirements, including exemptions, notification to the attorney general, and required content of notification, are contained in the text of the law. The law is effective June 16, 2017.

Preferred Partner of