New Mexico House OKs Breach Notice Bill With Amended Payment Card Provisions

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

Feb. 21 -- The New Mexico House Feb. 17 unanimously passed a significantly amended version of a bill ( H.B. 224 ) to require companies to notify state residents of the breach of their unencrypted personal information.  

If enacted, the measure would make New Mexico the 47th state with a breach notice law. The measure includes unique payment card breach provisions.

The bill has undergone significant amendments since it was introduced Jan. 29 (13 PVLR 221, 2/3/14).

Significant Amendments

The amended bill changes the deadline for companies to notify affected individuals of a breach from 10 business days after discovering a breach to 45 days after discovering a breach.

Companies, however, would be obligated under the proposed law to notify the state attorney general and consumer reporting agencies with 14 days of discovering a breach.

The bill still includes a provision requiring that companies notify the state attorney general of breaches, but the threshold of affected state residents needed to trigger notification jumped from 50 in the bill as introduced to 1,000 in the version passed by the House.

The amended bill now also includes a risk of harm threshold for when breaches must be reported. Affected individuals must be notified only if there is no “significant risk of identity theft or fraud.” A company that determines not to notify individuals in a breach affecting 1,000 or more New Mexico residents would be required to notify the state attorney general.

The bill was also amended to make clear that companies in compliance with the federal Gramm-Leach-Bliley Act or the federal Health Insurance Portability and Accountability Act would be deemed to be in compliance with the proposed law.

A provision to allow individuals to file lawsuits to recover actual or statutory damages was dropped from the measure.

The bill retains reasonable data security and personal data disposal mandates for companies.

Payment Card Provisions

H.B. 224 would require merchant service providers, such as retailers, involved in a breach who received credit or debit card numbers to notify card companies within 10 business days following discovery of the breach.

That represents a big change from the original bill, which would have set a two business day deadline to notify banks and other card-issuing financial institutions.

Under the amended version of the bill a special risk of harm threshold for notice that would have applied only to payment card breaches has been deleted. All breaches now fall under the newly added general notice risk trigger standard.

The amended H.B. 224 retained a provision allowing card-issuer to sue to recover administrative costs, such as replacing cards, covering fraudulent charges and covering the costs of notification.

The bill, however, now includes a provision that would exempt merchant services providers from liability for post-breach payment card costs if they are in compliance with the Payment Card Industry Data Security Standard, or successor industry standards.

Other States

In addition to New Mexico, only Alabama, Kentucky and South Dakota don't have any type of data breach notice law.

The Kentucky House Jan. 30 unanimously approved a public sector data breach bill (13 PVLR 221, 2/3/14).

Alabama's Legislature convened Jan. 14. As of Feb. 21, no breach notice bills had been introduced.

South Dakota's Legislature convened Jan. 14. But as of Feb. 21, no breach notice bills had been introduced.

H.B. 224, as amended on the floor and passed by the House, is available at

Request Bloomberg Law Privacy and Data Security