New Mexico Data Breach Notification
NM Stat § 57-12C-1 - § 57-12C-12
CITATION:
ARTICLE 12C Data Breach Notification
57-12C-1. Short title.
57-12C-2. Definitions.
57-12C-3. Disposal of personal identifying information.
57-12C-4. Security measures for storage of personal identifying information.
57-12C-5. Service provider use of personal identifying information; implementation of security measures.
57-12C-6. Notification of security breach.
57-12C-7. Notification; required content.
57-12C-8. Exemptions.
57-12C-9. Delayed notification.
57-12C-10. Notification to attorney general and credit reporting agencies.
57-12C-11. Attorney general enforcement; civil penalty.
57-12C-12. State of New Mexico and political subdivisions
57-12C-1. Short title.
This act [57-12C-1 to 57-12C-12 NMSA 1978] may be cited as the "Data Breach Notification Act".
History: Laws 2017, ch. 36, § 1.
ANNOTATIONS
Effective dates. — Laws 2017, ch. 36 contained no effective date provision, but, pursuant to N.M. Const., art. IV, § 23, was effective June 16, 2017, 90 days after the adjournment of the legislature.
57-12C-2. Definitions.
As used in the Data Breach Notification Act:
A. "biometric data" means a record generated by automatic measurements of an identified individual's fingerprints, voice print, iris or retina patterns, facial characteristics or hand geometry that is used to uniquely and durably authenticate an individual's identity when the individual accesses a physical location, device, system or account;
B. "encrypted" means rendered unusable, unreadable or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security;
C. "personal identifying information":
(1) means an individual's first name or first initial and last name in combination with one or more of the following data elements that relate to the individual, when the data elements are not protected through encryption or redaction or otherwise rendered unreadable or unusable:
(a) social security number;
(b) driver's license number;
(c) government-issued identification number;
(d) account number, credit card number or debit card number in combination with any required security code, access code or password that would permit access to a person's financial account; or
(e) biometric data; and
(2) does not mean information that is lawfully obtained from publicly available sources or from federal, state or local government records lawfully made available to the general public;
D. "security breach" means the unauthorized acquisition of unencrypted computerized data, or of encrypted computerized data and the confidential process or key used to decrypt the encrypted computerized data, that compromises the security, confidentiality or integrity of personal identifying information maintained by a person. "Security breach" does not include the good-faith acquisition of personal identifying information by an employee or agent of a person for a legitimate business purpose of the person; provided that the personal identifying information is not subject to further unauthorized disclosure; and
E. "service provider" means any person that receives, stores, maintains, licenses, processes or otherwise is permitted access to personal identifying information through its provision of services directly to a person that is subject to regulation.
History: Laws 2017, ch. 36, § 2.
ANNOTATIONS
Effective dates. — Laws 2017, ch. 36 contained no effective date provision, but, pursuant to N.M. Const., art. IV, § 23, was effective June 16, 2017, 90 days after the adjournment of the legislature.
57-12C-3. Disposal of personal identifying information.
A person that owns or licenses records containing personal identifying information of a New Mexico resident shall arrange for proper disposal of the records when they are no longer reasonably needed for business purposes. As used in this section, "proper disposal" means shredding, erasing or otherwise modifying the personal identifying information contained in the records to make the personal identifying information unreadable or undecipherable.
History: Laws 2017, ch. 36, § 3.
ANNOTATIONS
Effective dates. — Laws 2017, ch. 36 contained no effective date provision, but, pursuant to N.M. Const., art. IV, § 23, was effective June 16, 2017, 90 days after the adjournment of the legislature.
57-12C-4. Security measures for storage of personal identifying information.
A person that owns or licenses personal identifying information of a New Mexico resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal identifying information from unauthorized access, destruction, use, modification or disclosure.
History: Laws 2017, ch. 36, § 4.
ANNOTATIONS
Effective dates. — Laws 2017, ch. 36 contained no effective date provision, but, pursuant to N.M. Const., art. IV, § 23, was effective June 16, 2017, 90 days after the adjournment of the legislature.
57-12C-5. Service provider use of personal identifying information; implementation of security measures.
A person that discloses personal identifying information of a New Mexico resident pursuant to a contract with a service provider shall require by contract that the service provider implement and maintain reasonable security procedures and practices appropriate to the nature of the personal identifying information and to protect it from unauthorized access, destruction, use, modification or disclosure.
History: Laws 2017, ch. 36, § 5.
ANNOTATIONS
Effective dates. — Laws 2017, ch. 36 contained no effective date provision, but, pursuant to N.M. Const., art. IV, § 23, was effective June 16, 2017, 90 days after the adjournment of the legislature.
57-12C-6. Notification of security breach.
A. Except as provided in Subsection C of this section, a person that owns or licenses elements that include personal identifying information of a New Mexico resident shall provide notification to each New Mexico resident whose personal identifying information is reasonably believed to have been subject to a security breach. Notification shall be made in the most expedient time possible, but not later than forty-five calendar days following discovery of the security breach, except as provided in Section 9 [57-12C-9 NMSA 1978] of the Data Breach Notification Act.
B. Notwithstanding Subsection A of this section, notification to affected New Mexico residents is not required if, after an appropriate investigation, the person determines that the security breach does not give rise to a significant risk of identity theft or fraud.
C. Any person that is licensed to maintain or possess computerized data containing personal identifying information of a New Mexico resident that the person does not own or license shall notify the owner or licensee of the information of any security breach in the most expedient time possible, but not later than forty-five calendar days following discovery of the breach, except as provided in Section 9 of the Data Breach Notification Act; provided that notification to the owner or licensee of the information is not required if, after an appropriate investigation, the person determines that the security breach does not give rise to a significant risk of identity theft or fraud.
D. A person required to provide notification of a security breach pursuant to Subsection A of this section shall provide that notification by:
(1) United States mail;
(2) electronic notification, if the person required to make the notification primarily communicates with the New Mexico resident by electronic means or if the notice provided is consistent with the requirements of 15 U.S.C. Section 7001; or
(3) a substitute notification, if the person demonstrates that:
(a) the cost of providing notification would exceed one hundred thousand dollars ($100,000);
(b) the number of residents to be notified exceeds fifty thousand; or
(c) the person does not have on record a physical address or sufficient contact information for the residents that the person or business is required to notify.
E. Substitute notification pursuant to Paragraph (3) of Subsection D of this section shall consist of:
(1) sending electronic notification to the email address of those residents for whom the person has a valid email address;
(2) posting notification of the security breach in a conspicuous location on the website of the person required to provide notification if the person maintains a website; and
(3) sending written notification to the office of the attorney general and major media outlets in New Mexico.
F. A person that maintains its own notice procedures as part of an information security policy for the treatment of personal identifying information, and whose procedures are otherwise consistent with the timing requirements of this section, is deemed to be in compliance with the notice requirements of this section if the person notifies affected consumers in accordance with its policies in the event of a security breach.
History: Laws 2017, ch. 36, § 6.
ANNOTATIONS
Effective dates. — Laws 2017, ch. 36 contained no effective date provision, but, pursuant to N.M. Const., art. IV, § 23, was effective June 16, 2017, 90 days after the adjournment of the legislature.
57-12C-7. Notification; required content.
Notification required pursuant to Subsection A of Section 6 [57-12C-6 NMSA 1978] of the Data Breach Notification Act shall contain:
A. the name and contact information of the notifying person;
B. a list of the types of personal identifying information that are reasonably believed to have been the subject of a security breach, if known;
C. the date of the security breach, the estimated date of the breach or the range of dates within which the security breach occurred, if known;
D. a general description of the security breach incident;
E. the toll-free telephone numbers and addresses of the major consumer reporting agencies;
F. advice that directs the recipient to review personal account statements and credit reports, as applicable, to detect errors resulting from the security breach; and
G. advice that informs the recipient of the notification of the recipient's rights pursuant to the federal Fair Credit Reporting.
History: Laws 2017, ch. 36, § 7.
ANNOTATIONS
Cross references. — For the federal Fair Credit Reporting Act, see 15 U.S.C. § 1681 et seq.
Effective dates. — Laws 2017, ch. 36 contained no effective date provision, but, pursuant to N.M. Const., art. IV, § 23, was effective June 16, 2017, 90 days after the adjournment of the legislature.
57-12C-8. Exemptions.
The provisions of the Data Breach Notification Act shall not apply to a person subject to the federal Gramm-Leach-Bliley Act or the federal Health Insurance Portability and Accountability Act of 1996.
History: Laws 2017, ch. 36, § 8.
ANNOTATIONS
Cross references. — For the federal Gramm-Leach-Bliley Act, see 15 U.S.C. §§ 6801-6810
For the federal Health Insurance Portability and Accountability Act of 1996, see 42 U.S.C. 300gg et seq.
Effective dates. — Laws 2017, ch. 36 contained no effective date provision, but, pursuant to N.M. Const., art. IV, § 23, was effective June 16, 2017, 90 days after the adjournment of the legislature.
57-12C-9. Delayed notification.
The notification required by the Data Breach Notification Act may be delayed:
A. if a law enforcement agency determines that the notification will impede a criminal investigation; or
B. as necessary to determine the scope of the security breach and restore the integrity, security and confidentiality of the data system.
History: Laws 2017, ch. 36, § 9.
ANNOTATIONS
Effective dates. — Laws 2017, ch. 36 contained no effective date provision, but, pursuant to N.M. Const., art. IV, § 23, was effective June 16, 2017, 90 days after the adjournment of the legislature.
57-12C-10. Notification to attorney general and credit reporting agencies.
A person that is required to issue notification of a security breach pursuant to the Data Breach Notification Act to more than one thousand New Mexico residents as a result of a single security breach shall notify the office of the attorney general and major consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in 15 U.S.C. Section 1681a(p), of the security breach in the most expedient time possible, and no later than forty-five calendar days, except as provided in Section 9 [57-12C-9 NMSA 1978] of the Data Breach Notification Act. A person required to notify the attorney general and consumer reporting agencies pursuant to this section shall notify the attorney general of the number of New Mexico residents that received notification pursuant to Section 6 of that act [57-12C-6 NMSA 1978] and shall provide a copy of the notification that was sent to affected residents within forty-five calendar days following discovery of the security breach, except as provided in Section 9 of the Data Breach Notification Act.
History: Laws 2017, ch. 36, § 10.
ANNOTATIONS
Effective dates. — Laws 2017, ch. 36 contained no effective date provision, but, pursuant to N.M. Const., art. IV, § 23, was effective June 16, 2017, 90 days after the adjournment of the legislature.
57-12C-11. Attorney general enforcement; civil penalty.
A. When the attorney general has a reasonable belief that a violation of the Data Breach Notification Act has occurred, the attorney general may bring an action on the behalf of individuals and in the name of the state alleging a violation of that act.
B. In any action filed by the attorney general pursuant to the Data Breach Notification Act, the court may:
(1) issue an injunction; and
(2) award damages for actual costs or losses, including consequential financial losses.
C. If the court determines that a person violated the Data Breach Notification Act knowingly or recklessly, the court may impose a civil penalty of the greater of twenty-five thousand dollars ($25,000) or, in the case of failed notification, ten dollars ($10.00) per instance of failed notification up to a maximum of one hundred fifty thousand dollars ($150,000).
History: Laws 2017, ch. 36, § 11.
ANNOTATIONS
Effective dates. — Laws 2017, ch. 36 contained no effective date provision, but, pursuant to N.M. Const., art. IV, § 23, was effective June 16, 2017, 90 days after the adjournment of the legislature.
57-12C-12. State of New Mexico and political subdivisions exempted.
Nothing in the Data Breach Notification Act shall be interpreted to apply to the state of New Mexico or any of its political subdivisions.
History: Laws 2017, ch. 36, § 12.
ANNOTATIONS
Effective dates. — Laws 2017, ch. 36 contained no effective date provision, but, pursuant to N.M. Const., art. IV, § 23, was effective June 16, 2017, 90 days after the adjournment of the legislature.
For more information, see here: https://nmonesource.com/nmos/nmsa/en/item/4423/index.do#!fragment/zoupio-_Toc99444845/BQCwhgziBcwMYgK4DsDWszIQewE4BUBTADwBdoAvbRABwEtsBaAfX2zgE4OAWXgDm4BWAJQAaZNlKEIARUSFcAT2gByFaIiEwuBHIXK1GrTpABlPKQBCygEoBRADJ2AagEEAcgGE7o0mABG0KTswsJAA
These materials were obtained directly from the State Legislative websites and are posted here for your review and reference only. No Claim to Original State Government Works. This may not be the most recent version. The State may have more current information. We make no guarantees or warranties about the accuracy or completeness of this information, or the information linked to. Please check the linked sources directly.