On April 6th, Governor Susana Martinez signed a data security breach notification law, effectively making New Mexico the 48th state to enact such a law. The law takes full effect on June 16th.
Now, South Dakota and Alabama are the only two states that don’t have a data security breach notification law in place.
According to Jason Gaveijan, a privacy lawyer, the New Mexico statute follows the same general structure of similar breach notification laws effective in other states. Additionally, the New Mexico breach notification law also includes biometric data in its definition of personal identifying information.
According to Mayer Brown LLP, a law firm, only a handful of state laws include biometric data. These include Iowa, Nebraska, Illinois, and Wisconsin.
The structure of New Mexico’s breach notification law is also a bit different than what is considered to be the norm. For example, a service provider (processing data on behalf of a data owner) must notify the owner of the breach ‘in the most expedient time possible’, but no later than 45 days from when the breach is discovered. In comparison, most other breach notification laws require them to do this immediately afterwards.
In case more than 1,000 New Mexicans become the victims of a data security breach, the law also requires the organisations to notify the state attorney general.
According to the Baker Hostetler law firm, an organisation is exempt from having to notify anyone if an investigation determines that the breach did not pose a significant risk of fraud or identity theft.