New Mexico Data Breach Notification Bill Moves to Senate Judiciary Committee

A new data breach notification bill has been unanimously passed by the New Mexico House of Representatives bringing New Mexico one step closer to becoming the 48th state to introduce data breach notification laws.  The bill (House Bill 15) – also known as the Data Breach Notification Act – was sponsored by Republican Rep. William R. Rehm of Bernalillo. The bill will now move on to the Senate Judiciary Committee.

This is not the first time that a New Mexico data breach notification law has been sent to the Senate Judiciary Committee. Rehm previously sponsored a similar bill in 2015, yet on two occasions the Senate Judiciary Committee failed to pass the bill onto the senate.

The new data breach notification bill covers a range of sensitive data, although medical and insurance information are not included in the definition of personal information. Entities covered by the Health Insurance Portability and Accountability Act or the Gramm-Leach-Bliley Act will not be required to comply if the bill is written into state law.

Should the legislation be passed by the senate, all other entities doing business in the state of New Mexico will be required to comply with the breach notification legislation. In the event of a breach of personal information, breach notifications will need to be issued to affected individuals ‘in the most expedient time possible’ but no later than 30 days following of the discovery of the breach. Notifications will also need to be sent to the state attorney general and major consumer reporting agencies.

In addition to security breaches that result in the exposure of personal information, the legislation covers improper disposal of sensitive information. The legislation calls for organizations to shred, erase or otherwise modify personal identifying information prior to disposal. As with HIPAA, the information must be rendered unreadable and undecipherable prior to disposal.

A breach of the Data Breach Notification Act could result in a $25,000 fine or in the case of failed notifications, $10 per instance up to a maximum of $150,000.

The types of information included in the definition of personal information are:

An individual’s full name, or first name or initial and last name, along with any of the following data elements:

  • Social Security number
  • Driver’s license number
  • Government Identification numbers
  • Bank account number or credit/debit card number along with a CVV code or other code or password that would enable access to be gained to a financial account
  • Unique biometric data

If passed, New Mexico will become the 48th state to introduce data breach notification legislation. The two remaining states that have yet to introduce data breach notification laws are Arkansas and South Dakota, both of which are currently working on new legislation to protect state residents.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.