New Mexico Now 48th State to Require Breach Notice

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Daniel R. Stoller

Companies must notify New Mexico residents of the breach of their personal information under the state’s new data breach notification law.

Gov. Susana Martinez (R) signed the bill April 6—just one day before the April 7 deadline to act on the legislation. The law unanimously cleared both New Mexico’s House and Senate.

New Mexico joins the roster of 48 states and the District of Columbia with data breach notification laws. Only Alabama and South Dakota remain without some version of a breach notice law.

Companies have complained that the patchwork of various requirements under the different state data breach notice laws creates high compliance costs. It is unclear, however, whether Congress will move to adopt a national standard to preempt the state laws. Bills to create a federal data breach notification standard have been introduced, but failed to pass, in every Congress since 2003.

The New Mexico law will take effect 90 days after the legislature’s March 18 adjournment.

Notification Requirements

Under the New Mexico law, companies will be required to notify affected individuals and the state attorney general within 45 days of discovering a data breach. However, the law includes a “risk of harm” trigger that requires notification only if there is “a significant risk of identity theft or fraud.”

The state attorney general is authorized to enforce the breach notice law by bringing suit on behalf of affected individuals. The law authorizes courts to enjoin conduct that violates the statute and award actual costs or losses. Fines for violating the law could reach up to $150,000 for knowing and recklessly failing to notify.

The law also requires that companies use reasonable measures to protect personal data, and to ensure that personal information is properly disposed of when no longer stored.

To contact the reporter on this story: Daniel R. Stoller in Washington at

To contact the editor responsible for this story: Donald Aplin at

For More Information

Text of the data breach law is available at

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security