N.M. Set to Be Next to Make Companies Give Breach Notice

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By George Lynch

New Mexico is poised to become the 48th state to require companies to notify individuals of breaches of electronic data after its legislature cleared a breach notice bill March 16.

If Gov. Susana Martinez (R) signs the bill (H.B. 15), only Alabama and South Dakota would remain without some version of a data breach notice law. Companies have complained that the patchwork of state breach notice laws should be replaced by a single federal standard. It is unclear whether New Mexico’s addition to the patchwork may finally prompt Congress to act to preempt state breach notice laws. Breach notice bills have been introduced but failed to pass in every Congress since 2003.

A New Mexico law won’t have any impact on Congress’s decision to pass a federal data breach law, Kirk Nahra, a privacy partner at Wiley Rein LLP in Washington, told Bloomberg BNA March 17.

Under the New Mexico bill, companies would be required to notify affected individuals and the state attorney general within 45 days of discovering a breach. But the proposed law includes a risk of harm trigger that requires notification only if there is “a significant risk of identity theft or fraud.”

“The Governor has 20 days from the end of the session to review and act on the legislation. As with any bill, she will carefully review and analyze it before making a decision,” a spokesman for Gov. Martinez told Bloomberg BNA March 17. The legislative session is slated to end March 18.

Rep. Bill R. Rehm (R), who sponsored the bill, told Bloomberg BNA March 17 that he’s optimistic that Martinez will sign the bill.

Data Security. Disposal Provisions

The bill includes a provision requiring companies to adopt “reasonable security” for protected personal data. It would also require companies to dispose of data to ensure that personally identifying information is “unreadable or undecipherable.”

These reasonable security procedures are the “biggest deal” in the law, Nahra said. It’s unusual, among states, to require companies to have such procedures in place and to require them to contractually require their vendors to have them as well, Nahra said.

The proposed law includes unique biometric data in the definition of protected information, alongside the traditional list of Social Security, driver’s license and payment card numbers.

Attorney General Enforcement

The state attorney general would be authorized to enforce the breach notice law by bringing suit on behalf of affected individuals. The proposed law would authorize courts to enjoin conduct that violates the statute and award actual costs or losses.

If a court determines a violation of any of the provisions of the law was due to reckless or knowing conduct, it would be authorized to impose a civil penalty of $25,000.

In the case of a knowing or reckless failure to provide notice of a breach, the court would be authorized to impose a penalty of $25,000 or $10 per instance of failed notification of individuals, whichever is greater, up to $150,000.

The bill makes no provision for individuals to file suit over alleged violations of the statute.

To contact the reporter on this story: George Lynch in Washington at gLynch@bna.com

To contact the editor responsible for this story: Donald Aplin at daplin@bna.com

For More Information

Text of the bill, as substituted and passed in the House before minor technical changes in the Senate, is available at https://www.nmlegis.gov/Sessions/17%20Regular/bills/house/HB0015JCS.pdf.

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security