New Mexico has become the 48th state to enact a data breach notification law, with the Data Breach Notification Act. Governor Susana Martinez signed the bill on April 6, and it came into effect on June 16.
The law requires companies operating in New Mexico to notify individuals of data breaches involving personally identifiable information. Alabama and South Dakota are now the only states without such laws.
Law is lenient
The law is similar to most other states’ data breach laws, although it is more lenient in places.
Organizations are required to notify individuals of a data breach if there has been “unauthorized acquisition” of personal data, but this isn’t necessary if the organization deems that there is no “significant risk” of identity theft.
If more than 1,000 individuals are affected, organizations will also have to notify the New Mexico attorney general.
As with notification laws in many other states, organizations will be exempt from the bill if they are already required to comply with the Gramm-Leach-Bliley Act (GLBA) or the Health Insurance Portability and Accountability Act (HIPAA).
Organizations must report a breach “in the most expedient time possible” – but no later than 45 days after discovering it. As law firm Mayer Brown writes: “In contrast, most states require service providers to notify data owners ‘immediately,’ and Florida and Georgia require notification by service providers within 10 days and 24 hours, respectively.”
The law also includes a wider definition of personally identifiable information, including biometric data such as fingerprint records or iris scans. The only other states that include biometrics are Illinois, Iowa, Nebraska, and Wisconsin.
What took so long?
The main reason it took until now for New Mexico to enact a breach notification law is resistance from businesses, according to Mark Medley, who runs ID Theft Resolutions. He told BankInfoSecurity: “Lobbyists who didn’t want [the bill’s passage] are very strong and influential in Santa Fe.”
Representative Bill Rehm, who sponsored the bill, worked closely with businesses to seek compromises on specific provisions. According to BankInfoSecurity, earlier attempts to pass breach notification laws included a provision that would have forced organizations to notify victims within 30 days, but this was ultimately extended to 45 days.
That time limit is extremely generous compared to the EU General Data Protection Regulation (GDPR), which will take effect in May 2018. Any organization that handles EU residents’ personal data – and that includes many companies based in New Mexico and other US states – must report a data breach within 72 hours of discovering it. That’s less than a third of the time that organizations in even the strictest US state have.
Alarmingly, all signs point to a general indifference toward the GDPR in the US, with a report finding that 20% of US organizations haven’t even begun to prepare for the Regulation. We’ve been urging organizations to start or push on with their GDPR compliance projects because time is running out.
We offer a variety of tools to help you implement the Regulation’s requirements, including information pages, free webinars, products, and services.