Ride the Lightning

Cybersecurity and Future of Law Practice Blog
by Sharon D. Nelson Esq., President of Sensei Enterprises, Inc.

New Mexico Adopts Data Breach Notification Law – Two States Left to Go

April 24, 2017

As reported by Bank Info Security, Gov. Susana Martinez signed legislation on April 6^th making New Mexico the 48th state to enact a data breach notification law. The law takes effect on June 16.

Alabama and South Dakota are now the only states without a data breach notification law.

The New Mexico statute "follows the same general structure of many of the breach notification laws in other states," privacy lawyer Jason Gavejian says. "Importantly, the definition of personal identifying information under New Mexico's Data Breach Notification Act includes biometric data."

Only a handful of states including Illinois, Iowa, Nebraska and Wisconsin define PII to include biometric data, according to the law firm Mayer Brown LLP.

An analysis of the new statute by Mayer Brown says New Mexico deviates in a few ways from what is typically required by most other states data breach notification laws. "For example," the analysis says, "a service provider that processes data on behalf of a data owner must notify the owner of a breach 'in the most expedient time possible,' but not later than 45 days following discovery of the breach. In contrast, most states require service providers to notify data owners 'immediately,' and Florida and Georgia require notification by service providers within 10 days and 24 hours, respectively."

New Mexico's law requires businesses operating in the state to take reasonable security procedures to safeguard personally identifiable information. Unlike Massachusetts' law, the New Mexico measure is not prescriptive, giving much latitude to businesses to decide how best to protect PII.

The measure also requires organizations to notify the state attorney general if more than 1,000 New Mexicans were victims of a breach.

Like notification laws in many other states, organizations would be exempt from complying with the New Mexico statute if they must comply with the Gramm-Leach-Bliley Act that governs financial institutions handling private information or the Health Insurance Portability and Accountability Act that regulates patient information.

Alabama and South Dakota, are you two competing to be the last state to protect your residents?

E-mail: Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology
http://www.senseient.com
http://twitter.com/sharonnelsonesq
http://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson

Sharon D. Nelson, Esq.
President

Subscribe in a Reader

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Ride the Lightning

New Mexico Adopts Data Breach Notification Law – Two States Left to Go

Subscribe for More!

Recent Posts

Listen to the Podcast

Disclaimer