Data Breach Bill Rejected by New Mexico Senate

The New Mexico Data Breach Notification Act (HB 217) may have been unanimously passed by the house, but the senate has rejected the Act, which would have required businesses to notify customers in the case of a breach of Personally Identifiable Information (PII).

The New Mexico description of PII includes Social Security numbers, Government ID numbers, Driver’s license numbers, credit/debit card numbers, bank accounts and information giving access to financial accounts; in cases where that is combined with the person’s full name or last name and initial; although data covered by the Gramm-Leach-Bliley Act of 1999 and the Health Insurance Portability and Accountability Act of 1996 are exempted.

The decision not to pass the Act is peculiar. It went before the senate and was unanimously passed by the Corporations Committee; however the Act did not get passed the Judiciary Committee, even though no one voiced concern over the bill. Rep.

The rejection however now means that in New Mexico, any individual affected by a data breach involving PII will not be required by law to be notified that their data has been exposed. This only applies to PII, as Protected Health Information (PHI) is covered under the federal Health Insurance Portability and Accountability Act, and any HIPAA-covered entity is required to notify affected individuals in the case of a breach of PHI.

The bill would have required all businesses to contact breach victims to advise them of the security incident within 45 days of the discovery of a breach that is “reasonably believed to include PII”. Under HIPAA Rules, organizations are required to send breach notifications within 60 days.

Bill Rehm, R-Bernalillo, who sponsored the bill, hoped to improve privacy standards for state residents with the passing of the new breach notification Act and was disappointment that the new privacy standard was not introduced. So too was Paul Stull, president and CEO of the Credit Union Association of New Mexico. Following the announcement that the bill had not been passed, he said “Is there a wrong side to protecting New Mexicans from fraud and identity theft? Could anyone be in favor of the unscrupulous acts of fraudsters?”

It is not clear which aspects of the bill proved problematic and prevented the Act from being passed. Last year, a similar bill went before the senate and that too was rejected. New Mexico therefore remains one of only three states that have yet to implement a data breach notification law. 29 states are planning on introducing new data security breach notification laws this year.

According to New Mexico’s Department of Information Technology (DOIT) “for many state owned systems that contain PII, there are already strict requirements in place that are set by the federal government, such as tax or health information,” however, in a comment in the Fiscal Impact Report on HB 217 the DOIT did say that it “could promulgate additional rules to address certain provisions.”

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.