New Mexico Moving on Breach Notice Bill; May Join Roster as 48th State With Law

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

Feb. 11 — A New Mexico data breach notification bill (H.B. 217 ) moving in the Legislature would make the state the 48th to enact a law requiring that companies notify individuals affected by a breach of personal information.

The New Mexico House Business and Employment Committee Feb. 5 unanimously approved a substitute amendment for H.B. 217. The measure is scheduled for consideration by the House Judiciary Committee Feb. 13.

The move comes as the Obama administration is pushing for federal legislation to set a national breach notice standard to preempt state breach laws.

Congress may be receptive to passing a breach notice law in the wake of recent large-scale breaches at Anthem Inc. and Sony Pictures Entertainment Inc.

If the proposed New Mexico Data Breach Notification Act, which was introduced Jan. 28 by Rep. William R. Rehm (R), is adopted, Alabama and South Dakota would be the only states left without a breach notice statute.

45-Day Notice Deadline 

The New Mexico bill would require companies and government agencies to notify New Mexico residents when there is “unauthorized acquisition of computerized data that compromises the security, confidentiality or integrity of personal identifying information.” Under the proposed law, notification must take place within 45 days after discovery of the breach.

If the breach involves payment card numbers, covered entities would be required to notify merchants that processed the data within 10 business days of discovering the breach.

If more than 1,000 individuals were required to be notified as the result of a single breach incident, covered entities would also have to notify the state office of the attorney general of the breach.

The bill would require covered entities to employ “reasonable” data security measures and to dispose of stored personal information as soon as possible after it is no longer needed for business purposes in manner that makes the data “unreadable or undecipherable.”

H.B. 217 would authorize the state attorney general to bring suit to seek injunctive relief and actual damages for violations of the proposed law. If a court held that the breach law was violated “knowingly or recklessly,” it would be authorized to award a civil penalty of the greater of $5,000, or in the case of a failure by a covered entity to provide notice, $10 per instance of failed notification up to a maximum of $150,000 per breach incident.

The committee substitute stripped a provision from the bill as filed that would have allowed payment card issuing banks to sue merchants that improperly retained card data for the costs of replacing cards and card readers, closing and reopening user accounts, reimbursing card holders for unauthorized charges and notifying affected individuals.

Alabama, South Dakota 

There is still a chance that lawmakers in Alabama may see a breach notice bill in the 2015 legislative session, but no legislation will be considered in South Dakota in 2015.

As of Feb. 11 no breach notice legislation has been introduced in Alabama, but there is no deadline for filing bills. The Legislature is slated to adjourn in June.

Meanwhile in South Dakota, the Feb. 4 deadline for introduction of legislation has passed without a breach notification measure being filed.

The Business and Employment Committee substitute for H.B. 217 is available at