Ride the Lightning

Cybersecurity and Future of Law Practice Blog
by Sharon D. Nelson Esq., President of Sensei Enterprises, Inc.

New Mexico Becomes 48th State to Enact Data Breach Notification Law

August 16, 2017

Only Alabama and South Dakota have yet to join the party . . .

As IT Governance reported, New Mexico has become the 48th state to enact a data breach notification law, with the Data Breach Notification Act. Governor Susana Martinez signed the bill on April 6th, and it went into effect on June 16th.

The law is similar to most other states' data breach laws, although it is more lenient in part. Organizations are required to notify individuals of a data breach if there has been "unauthorized acquisition" of personal data, but this isn't necessary if the organization deems that there is no "significant risk" of identity theft. This is always the giant nail on which organizations hang their hats – that there is no proof of significant risk.

If more than 1,000 individuals are affected, organizations will also have to notify the New Mexico attorney general. As with notification laws in many other states, organizations will be exempt from the act if they are already required to comply with the Gramm-Leach-Bliley Act (GLBA) or the Health Insurance Portability and Accountability Act (HIPAA).

Organizations must report a breach "in the most expedient time possible" – but no later than 45 days after discovering it. As law firm Mayer Brown writes: "In contrast, most states require service providers to notify data owners 'immediately,' and Florida and Georgia require notification by service providers within 10 days and 24 hours, respectively."

The law also includes a wider definition of personally identifiable information, including biometric data such as fingerprint records or iris scans. The only other states that include biometrics are Illinois, Iowa, Nebraska, and Wisconsin.

That 45-day time limit is extremely generous compared to the EU General Data Protection Regulation (GDPR), which will take effect in May 2018. Any organization that handles EU residents' personal data – and that includes many companies based in New Mexico and other US states – must report a data breach within 72 hours of discovering it. That's less than a third of the time that organizations in even the strictest US state have.

As the report points out, alarmingly, all signs point to a general indifference toward the GDPR in the US, with a report finding that 20% of US organizations haven't even begun to prepare for the Regulation.

E-mail: Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology
https://www.senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson

Sharon D. Nelson, Esq.
President

Subscribe in a Reader

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Ride the Lightning

New Mexico Becomes 48th State to Enact Data Breach Notification Law

Subscribe for More!

Recent Posts

Listen to the Podcast

Disclaimer