Ride the Lightning

New Mexico 48th State to Adopt Data Breach Notification Law

March 27, 2017

At least it is almost true – Data Breach Today reported that New Mexico is set to become the 48th state to enact a data breach notification law, which would leave Alabama and South Dakota as the only states without such a statute. The New Mexico Senate on March 15 passed the Data Breach Notification Act, or HB 15, by a 40-0 vote and sent the bill to Gov. Susana Martinez for her signature. The House approved the bill by a 68-0 margin on February 15.

Martinez is reviewing the legislation and has 20 days from passage to decide whether to approve it. The bill's sponsor, Rep. Bill Rehm, says he believes she will sign the measure.

What took New Mexico so long to enact a data breach notification law? Resistance from some businesses was reportedly a key factor. New Mexico's law, if enacted, would require businesses operating in the state to take reasonable security procedures to safeguard personally identifiable information. Unlike Massachusetts' law, the New Mexico measure is not prescriptive, giving a lot of latitude to businesses to decide how best to protect PII.

The measure also would require organizations to notify the state attorney general if more than 1,000 New Mexicans fell victim to a breach.

Breached organizations must notify individuals "in the most expedient time possible, but not later than 45 days following discovery of the security breach," according to an analysis of bill by the law firm Baker Hostetler. Organizations would be exempt from notification if, after an investigation, it is determined the breach didn't pose a significant risk of identity theft or fraud.

Like notification laws in many other states, organizations would be exempt from complying with the New Mexico statute if they must comply with the Gramm-Leach-Bliley Act that governs financial institutions handling private information or the Health Insurance Portability and Accountability Act that regulates patient information.

The New Mexico measure would require organizations to provide breach victims with advice on how to access personal account statements and credit reports to detect errors resulting from the security breach and also inform them of their rights under the Fair Credit Reporting and Identity Security Act.

Clearly, it is a royal pain to comply with a patchwork of state regulations. To me, a federal law makes much more sense. Of course, no one has asked for my opinion. Efforts to pass a federal law have failed since 2008. In spite of the appeal of the simplicity of having a single law, some consumer advocates have worried that the stronger protections of the Massachusetts and California laws would be watered down in a federal law.

Having watched dismal failure after dismal failure to enact a federal law, I am not holding my breath. One law makes far too much sense to be adopted . . .

E-mail: Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology
http://www.senseient.com
http://twitter.com/sharonnelsonesq
http://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson