New Data Breach Legislation in the State of New Mexico

N.M. Stat. §§ 57-12C-1 – 57-12C-12, also known as H.B.1.5, is a data breach notification law that was passed in the U.S. state of New Mexico in 2017. New Mexico was the 48th state within the U.S. to pass legislation mandating that business entities and organizations that operate within the state provide data breach notifications to all impacted individuals and parties in the event that a security breach occurs. With this being said, N.M. Stat. §§ 57-12C-1 – 57-12C-12 sets forth the requirements that businesses and organizations are responsible for adhering to after experiencing a data breach, and also empowers the New Mexico attorney general to impose punishments against those who fail to comply with the provisions established in the law.

What is the scope and application of N.M. Stat. §§ 57-12C-1 – 57-12C-12?

In terms of the scope and application of the law, the provisions set forth in N.M. Stat. §§ 57-12C-1 – 57-12C-12 are applicable to “individuals, businesses, governmental entities, and other entities that own, license, or maintain personal information. Certain entities may be exempted from particular or all provisions of the law.” Alternatively, the law also states that “an entity that maintains personal information that it does not own or license must notify the owner or licensee in the most expedient time possible, but no later than 45 days after discovery of a breach. Notification to owner or licensee is not required if, after appropriate investigation, the entity determines that the breach does not pose a significant risk of identity theft or fraud.”

What are the data breach requirements under N.M. Stat. §§ 57-12C-1 – 57-12C-12?

In accordance with other data breach notification laws that have been passed at the U.S. state level, N.M. Stat. §§ 57-12C-1 – 57-12C-12 required businesses and organizations within the state of New Mexico to provide all affected parties with notification in the event that a data breach occurs. These notifications must be provided to residents of the state in the most expedient manner possible, but no later than 45 days after the breach in question has been discovered. If a data breach affects more than 1,000 residents within New Mexico, the entity that experienced the breach is also responsible for providing notice to the New Mexico Attorney General. To this point, data breach notifications under N.M. Stat. §§ 57-12C-1 – 57-12C-12 must also provide New Mexico residents with the following information:

• The entity’s name and contact information.
• A description of the security breach, in general terms.
• The date, estimated date, or range of dates the breach occurred (if known).
• A list of the categories of personal information that are believed to have been compromised as a result of the breach.
• The addresses and toll-free telephone numbers of all three major credit reporting agencies within the U.S. (Equifax, Experian, and TransUnion).
• Advice concerning the reviewing of personal account statements and credit report errors, as well as the rights of all U.S. citizens under the Fair Credit Reporting Act or FCRA.

What categories of personal information a protected under N.M. Stat. §§ 57-12C-1 – 57-12C-12?

Under the provisions of N.M. Stat. §§ 57-12C-1 – 57-12C-12, the following categories of personal information are legally protected in the event that a data breach occurs, in instances where such data has not been redacted, encrypted, or otherwise rendered unusable or unreadable:

• Social security numbers.
• Drivers’ license numbers and government-issued identification card numbers.
• Financial account numbers, including credit and debit card numbers, as well as any required security codes, passwords, or access codes that could be used to gain access to an individual’s financial account.

As it pertains to the enforcement of N.M. Stat. §§ 57-12C-1 – 57-12C-12, the provisions established in the law are enforced by the New Mexico Attorney General. Consequently, the New Mexico Attorney General has the authority to impose the following sanctions and penalties against entities within the state that are found to be in violation of the law:

• The filing of an injunction.
• Damages for actual costs and losses, including consequential losses.
• A monetary penalty of up to $25,000 for knowing or reckless violations of the law.
• A monetary penalty of up to $150,000 for failure to provide New Mexico residents with data breach notifications when applicable.

Despite the fact that New Mexico was one of the last states within the U.S. to pass legislation concerning the regulation of security breaches, the requirements of businesses and organizations under the N.M. Stat. §§ 57-12C-1 – 57-12C-12 are particularly rigorous when compared to many other such laws around the country. To this end, the enactment of N.M. Stat. §§ 57-12C-1 – 57-12C-12 provided residents of the state of New Mexico were provided with a strong level of legal protection against the adverse consequences of data breaches, as such occurrences can prove disastrous to an individual’s credit score and financial accounts.