Feb. 21 -- The New Mexico House Feb. 17 unanimously passed a significantly amended version of a bill (H.B. 224) to require companies to notify state residents of the breach of their unencrypted personal information.
If enacted, the measure would make New Mexico the 47th state with a breach notice law. The measure includes unique payment card breach provisions.
The bill has undergone significant amendments since it was introduced Jan. 29 (13 PVLR 221, 2/3/14).
The amended bill changes the deadline for companies to notify affected individuals of a breach from 10 business days after discovering a breach to 45 days after discovering a breach.
Companies, however, would be obligated under the proposed law to notify the state attorney general and consumer reporting agencies with 14 days of discovering a breach.
The bill still includes a provision requiring that companies notify the state attorney general of breaches, but the threshold of affected state residents needed to trigger notification jumped from 50 in the bill as introduced to 1,000 in the version passed by the House.
The amended bill now also includes a risk of harm threshold for when breaches must be reported. Affected individuals must be notified only if there is no “significant risk of identity theft or fraud.” A company that determines not to notify individuals in a breach affecting 1,000 or more New Mexico residents would be required to notify the state attorney general.
The bill was also amended to make clear that companies in compliance with the federal Gramm-Leach-Bliley Act or the federal Health Insurance Portability and Accountability Act would be deemed to be in compliance with the proposed law.
A provision to allow individuals to file lawsuits to recover actual or statutory damages was dropped from the measure.
The bill retains reasonable data security and personal data disposal mandates for companies.
H.B. 224 would require merchant service providers, such as retailers, involved in a breach who received credit or debit card numbers to notify card companies within 10 business days following discovery of the breach.
That represents a big change from the original bill, which would have set a two business day deadline to notify banks and other card-issuing financial institutions.
Under the amended version of the bill a special risk of harm threshold for notice that would have applied only to payment card breaches has been deleted. All breaches now fall under the newly added general notice risk trigger standard.
The amended H.B. 224 retained a provision allowing card-issuer to sue to recover administrative costs, such as replacing cards, covering fraudulent charges and covering the costs of notification.
The bill, however, now includes a provision that would exempt merchant services providers from liability for post-breach payment card costs if they are in compliance with the Payment Card Industry Data Security Standard, or successor industry standards.
In addition to New Mexico, only Alabama, Kentucky and South Dakota don't have any type of data breach notice law.
The Kentucky House Jan. 30 unanimously approved a public sector data breach bill (13 PVLR 221, 2/3/14).
Alabama's Legislature convened Jan. 14. As of Feb. 21, no breach notice bills had been introduced.
South Dakota's Legislature convened Jan. 14. But as of Feb. 21, no breach notice bills had been introduced.
H.B. 224, as amended on the floor and passed by the House, is available at http://www.nmlegis.gov/Sessions/14%20regular/bills/house/HB0224FHS.pdf.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to email@example.com.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).