Late, But Not Last, New Mexico Legislature Passes Data Breach Notification Law


By: Jonathan M. Romvary

On March 15, 2017, New Mexico’s Senate passed H.B. 15, the Data Breach Notification Act, making New Mexico the 48th state to pass a data breach notification law. The law, if signed by the governor, would provide New Mexico’s two million residents protections similar to those provided is many other states. Although they adopted the common definition for PII, New Mexico’s legislature declined to follow recent trends of expanding the definition of PII to include usernames or email addresses in combination with passwords and answers to security questions.

When a breach affecting New Mexico residents occurs, notification must be made no later than 30 days following discovery of the breach, except where “after an appropriate investigation, the person determines that the security breach does not give rise to a significant risk of identity theft or fraud.” In the event more than 1,000 New Mexico residents are affected, you must also provide notice to the office of New Mexico’s attorney general and the major consumer reporting agencies. If the breach involves credit card or debit card numbers, notice must also be provided to each merchant services provider to which the credit card or debit card number was transmitted within ten days of discovery of the breach.

Similar to other jurisdictions, the New Mexico legislature did not provide its citizens with a private right of action, rather it provides the state’s attorney general the right to bring legal actions on behalf of affected individuals. Courts may issue an injunction or award damages for actual losses including consequential financial losses. For knowingly or recklessly violating the Act, the Court may also impose civil penalties of $25,000, or in the case of a failure to notify, a penalty of $10 per instance up to a maximum penalty of $150,000.

New Mexico Governor Susana Martinez has until April 7, 2017 to sign the act into law. If signed into law, New Mexico would leave Alabama and South Dakota as the only states with no security breach laws, although the Alabama legislature has introduced a similar bill for consideration.

The passage of this new statute underscores the importance of staying up-to-date with your state’s data breach statutes and having a data breach response plan in place. The Cyber, Data Security, and Privacy practice group attorneys are here to assist you in navigating the intricacies of each states’ data protection statutes.

Please contact Jonathan Romvary at [email protected] if you have any questions regarding how this law or any state’s data breach statutes may affect you.