On April 6, 2017, New Mexico became the 48th state to enact a data breach notification law, leaving Alabama and South Dakota as the only two states without such a law. The New Mexico law goes into effect June 16, 2017.
Who Is Covered? Defining “Personal Identifying Information”
The new law applies to any “person that owns or licenses elements that include personal identifying information of a New Mexico resident[.]” The definition of “personal identifying information” largely tracks the definitions adopted by sister states, and includes an individual’s first name or first initial and last name in combination with one or more of the following data elements, when such data elements “are not protected through encryption or redaction or otherwise rendered unreadable or unusable:”
- social security number;
- driver’s license number;
- government-issued identification number;
- account number, credit card number or debit card number in combination with any required security code, access code or password that would permit access to a person’s financial account; or
- biometric data.
Biometric data is defined under the new law to mean a record generated by automatic measurements of an identified individual’s fingerprints, voice print, iris or retina patterns, facial characteristics or hand geometry that is used to “uniquely and durably authenticate an individual’s identity when the individual accesses a physical location, device, system or account[.]” “[E]ncrypted” is defined under the new statute to mean “rendered unusable, unreadable or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security[.]” And “personal identifying information” does not mean information that is “lawfully obtained from publicly available sources or from federal, state or local government records lawfully made available to the general public[.]”
When Is Notification Required?
Defining “Security Breach”
Notification is required under the new law when the “personal identifying information” of a “New Mexico resident” is “reasonably believed to have been subject to a security breach.” The phrase “security breach” is defined under the statute to mean the “unauthorized acquisition of unencrypted computerized data, or of encrypted computerized data and the confidential process or key used to decrypt the encrypted computerized data, that compromises the security, confidentiality or integrity of personal identifying information maintained by a person.” The phrase “security breach” does not include the good-faith acquisition of personal identifying information by an employee or agent of a person for a “legitimate business purpose of the person[,]” so long as the personal identifying information is not subject to further unauthorized disclosure.
45 Day Window
Notice under the new law must be made “in the most expedient time possible, but no later” than 45 calendar days “following discovery of the security breach[.]” Notification may be delayed, however, if a law enforcement agency determines that the notification will impede a criminal investigation, or “as necessary to determine the scope of the security breach and restore the integrity, security and confidentiality of the data system.”
Investigation Defense / Risk Of Harm
Notification is not required if “after an appropriate investigation, the person determines that the security breach does not give rise to a significant risk of identity theft or fraud.”
What Is Required In The Notice?
If notice is required, the new law provides specific content requirements, including:
- The name and contact information of the notifying person;
- A list of the types of personal identifying information that are reasonably believed to have been the subject of a security breach, if known;
- The date of the security breach, the estimated date of the breach or the range of dates within which the security breach occurred, if known;
- A general description of the security breach incident;
- The toll-free telephone numbers and addresses of the major consumer reporting agencies;
- Advice that directs the recipient to review personal account statements and credit reports, as applicable, to detect errors resulting from the security breach; and
- Advice that informs the recipient of the notification of the recipient’s rights pursuant to the federal Fair Credit Reporting Act.
Are There Exemptions?
Yes. The new law does not apply to covered persons subject to the federal Gramm-Leach-Bliley Act or the federal Health Insurance Portability and Accountability Act of 1996.
Do The Attorney General And Credit Reporting Agencies Require Notification?
Yes. If notice goes out to more than 1,000 New Mexico residents “as a result of a single security breach” the covered person must “notify the office of the attorney general and major consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in 15 U.S.C. Section 1681a(p)[.]” Such notice must be made “in the most expedient time possible,” but no later than the same time that notice goes out to the impacted resident – 45 calendar days. Such notice must “notify the attorney general of the number of New Mexico residents that received notification” and “shall provide a copy of the notification that was sent to affected residents within” 45 calendar days “following discovery of the security breach[.]”
Is There A Private Right Of Action?
No. The new law only allows for an enforcement action brought by the attorney general. And in such cases, the attorney general may seek injunctive or compensatory relief. If the court determines the person violated the new law “knowingly or recklessly,” the court may also impose a civil penalty of the greater of $25,000 or, in the case of failed notification, $10.00 per instance of failed notification up to a maximum of $150,000.
- Encryption is key. The new law contains a safe harbor provision for encrypted data, so long as the encryption key is not compromised. The new law does not describe the specific encryption method required, as opposed to Tennessee’s new revisions.
- Investigation is key. Conducting an adequate and thorough investigation at the outset of a breach is critical under the new law. Conducting such an investigation will provide for extra time to complete notification, if required. It will also allow for non-notice if the investigation determines the security breach “does not give rise to a significant risk of identity theft or fraud.”
- Consider involving law enforcement. It may seem counterintuitive, but involving law enforcement early in a data breach case may provide extra time on notification. The federal government, and particularly the FBI and DHS, also actively encourage private business to reach out in the case of a data breach. In the case of 1,000 impacted New Mexico residents, however, notice to the New Mexico attorney general is required.
- Time is of the essence. The new law provides a 45 calendar day window to effectuate notice to both residents and law enforcement, when required. That means investigations need to be undertaken immediately, and without delay.
The Dentons Privacy and Cybersecurity Group is prepared to help you and your business navigate this new law, address your encryption issues, and help conduct the required investigations necessary once breach occurs.