The Constangy Cyber Team understands the paramount importance of staying informed about the intricacies of data breach notification regulations. With our Cybersecurity & Data Privacy Desktop Reference and these interactive maps, we provide guidance to navigate these complexities. Our interactive maps offer you online access to our succinct summaries of the essential aspects of various consumer and regulatory notification obligations. Please contact us should you have any questions. We look forward to working with you should you have to navigate the consumer notification and/or regulatory reporting process.
Data Breach Notification Statue
Covered Entities: A person, business or government entity that owns or licenses elements that include personally identifying information of a New Mexico resident. Does not apply to state government or any political subdivisions.
Consumer Notification: Notification shall be made to a “New Mexico resident whose personally identifying information is reasonably believed” to be breached.
Regulatory Notification: If more than 1,000 New Mexico residents are notified, Attorney General must be notified no later than 45 days after the breach is discovered.
Notification Timeline: In the most expedient time possible, but not later than 45 days following discovery of a security breach, except due to a law enforcement request or as necessary to determine the scope of the breach and restore the integrity, security and confidentiality of the system.
Data Format: Electronic.
Citations: N.M. Stat. Ann. § 57-12C-1—57-12C-12
- Breach: The unauthorized acquisition of unencrypted data or encrypted data and the key to decrypt the data that “compromises the security, confidentiality or integrity” of personal information.
- Personal information (PI): Personal identifying information means a person’s first name or initial in combination one or more of the following data elements when not protected by encryption or otherwise unreadable:
- Social Security number
- Driver’s license number or State identification card number
- Government-issued identification number
- Account number, credit card number or debit card number in combination with any required security code, access code or password that would permit access to a person’s financial account
- Biometric data
- Does not include information lawfully obtained from publicly available sources or publicly available federal, state or local government records.
- Encryption: Data that is “rendered unusable, unreadable or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security”
- Good Faith: There is no breach when the personally identifying information is acquired by an employee or agent of a person for a legitimate business purpose, provided the personally identifying information is not subject to further unauthorized disclosure.
- Risk of Harm: Notification is not required if, after appropriate investigation, it is determined the breach does not create “a significant risk of identity theft or fraud.”
- Law Enforcement Delay: Notification may be delayed where a law enforcement agency determines that notification will impede a criminal investigation
- Timing: Most expedient time possible, but not later than 45 days following discovery of a security breach
- Format: N/A
- Name and contact information of notifying person;
- List of the types of personally identifying information reasonably believed to have been breached, if known;
- General description of the breach;
- Toll-free telephone numbers and addresses of the major consumer reporting agencies;
- Advice that directs the recipient to review personal account statements and credit reports, as applicable, to detect errors resulting from the security breach; and
- Advice that informs the recipient of the notification of the recipient’s rights pursuant to the federal Fair Credit Reporting Act.
- Written notice
- Electronic notice, if communication takes place primarily by electronic means
- Substitute notice
Permitted where person making notification can show the cost to notify exceeds $100,000, over 50,000 people must be notified, or impacted individual’s address is not known or there is insufficient contact information to notify them. Must include:
- Email, when it is known
- Conspicuous posting to website
- Written notification to the New Mexico Attorney General and major media outlets in New Mexico
To the Division of State Police in advance of disclosure to the person.
Credit Reporting Agencies Notice:
If more than 1,000 New Mexico residents are notified, Attorney General must be notified no later than 45 days after the breach is discovered. Must include number of New Mexico residents receiving notification and provide a copy of the notification.
A third-party that licenses or maintains personally identifying information and experiences a breach “shall notify the owner or licensee of the information” the breach in the most expedient time possible, but no later than 45 days after discovery of the breach, subject to law enforcement requests for delay and time to restore the integrity, security and confidentiality of the system.
Data Breach Notification Act does not apply to entities subject to HIPAA and GLBA
Information Security Standard
Covered Entities: A person or entity that owns or licenses personal information of New Mexico residents.
First Party Security Standard: A person that owns or licenses personal identifying information of a New Mexico resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal identifying information from unauthorized access, destruction, use, modification or disclosure.
Third Party Security Standard: A person that discloses personal identifying information of a New Mexico resident pursuant to a contract with a service provider shall require by contract that the service provider implement and maintain reasonable security procedures and practices appropriate to the nature of the personal identifying information and to protect it from unauthorized access, destruction, use, modification or disclosure.
Disposal/Destruction Standard: A person that owns or licenses records containing personal identifying information of a New Mexico resident shall arrange for proper disposal of the records when they are no longer reasonably needed for business purposes. As used in this section, “proper disposal” means shredding, erasing or otherwise modifying the personal identifying information contained in the records to make the personal identifying information unreadable or undecipherable.
Data Format: Electronic and Paper.
Citations: N.M. Stat. Ann. §§ 57-12C-1 to 57-12C-12
- Personal Information (PI): An individual’s first name / first initial and last name in combination with one (1) or more of the following data elements:
- Social Security number;
- Driver’s license number;
- Government-issued identification number;
- Financial account or payment card number plus any required security code, access code, or password that would permit access to an individual’s financial account; or
- Biometric data.
PI does not include information lawfully obtained from publicly available sources or information lawfully made available to the general public from federal, state or local government records.
Methods of Compliance:
The statute does not define what constitutes “reasonable security procedures and practices …”
- Health Care: These requirements do not apply to persons or entities subject to HIPAA.
- Financial: These requirements do not apply to persons or entities subject to the GLBA.
- Other: These requirements do not apply to the state of New Mexico or any of its political subdivisions.
The New Mexico Attorney General may bring an action on behalf of individuals for alleged violations of the act. Penalties may include injunctive action and damages for actual costs or losses, including consequential financial losses. Knowing or reckless violations may result in a civil penalty of $25,000.