There are currently no data breach notification laws in New Mexico, but that is likely to change soon. New Mexico is one of three states that have yet to implement data breach notification laws, the other two being Arkansas and South Dakota. All three states are now in the advanced stages of introducing laws that will require companies to notify consumers in the event that their personal information is exposed or stolen.
Currently there is no federal law covering data breach notifications for all businesses, only for certain regulated industries such as finance and healthcare. Instead it is up to individual states to introduce laws to protect consumers in the event that their sensitive personally identifiable information is stolen.
This week, data breach notification laws in New Mexico moved a step closer to being written into the state’s legislature. A new bill sponsored by Rep. Bill Rehm was recently unanimously passed by a state Senate committee and the bill will now go before the Senate Judiciary Committee before being passed on to the senate floor.
Rehm has previously attempted to improve protections for state residents by introducing a similar bill in 2015, although the bill failed to make it past the Senate Judiciary Committee. It is hoped that this time around, Bill’s bill will not be rejected.
Rehm recently told the Grant County Beat, “Our laws have not kept up with the pace of technology. This bill will remedy a gap in our existing consumer protections and put us on par with other states.”
The new bill covers a wide range of sensitive data, but does not include health insurance and medical information. When HIPAA-covered protected health information is exposed or stolen, breach notification letters will need to be sent to affected individuals as required by the HIPAA Breach Notification Rule.
HIPAA-covered entities will not be required to comply with the new data breach notification laws in New Mexico, and neither will companies covered by the Gramm-Leach-Bliley Act.
If passed, the new data breach notification laws will require all entities that hold personal information of state residents to issue notifications in the event of a security breach or the exposure of that information, including the disposal of documentation or electronic devices containing personal information that has not been rendered undecipherable and unreadable.
The new laws will cover any of the following information when it has been exposed or stolen along with a person’s full name or initial and last name:
- Driver’s license number
- Social Security number
- Government-issued ID number
- Biometric data such as retina scans and fingerprints
- Account numbers, credit card numbers, and debit card numbers – when exposed or stolen along with passwords or security codes that could allow those accounts to be compromised.
Notifications will need to be issued in the most expedient time possible following the breach, but no later than 30 days following the discovery of the breach, making the requirements of the new data breach notification laws in New Mexico more stringent that the HIPAA Breach Notification Rule. HIPAA requires covered entities to notify patients and health plan members of a breach of their PHI within 60 days of the discovery of the breach.
Failure to comply with the legislation would expose an organization to a fine of up to $25,000 or in the case of delayed or missed breach notifications, a fine of $10 per missed notification up to a maximum of $150,000.