Not a Member? Get access to HR news and resources that you can trust.
Sustainable design practices lead to happy employees—and healthy businesses.
Is your employee handbook keeping up with the changing world of work? With SHRM's Employee Handbook Builder get peace of mind that your handbook is up-to-date.
Set yourself up for success with virtual SHRM-CP/SHRM-SCP Certification Prep Seminars.
#SHRM18 will expand your perspective – on your organization, on your career, and on the way you approach HR. Join us in Chicago June 17-20, 2018
New Mexico has become the 48th state to enact a data breach notification law requiring that individuals be notified of security breaches of information involving personal identifying information.
Gov. Susana Martinez signed H.B. 15 on April 6. The new law follows the same general structure of many of the breach notification laws in other states. It will become effective on June 16.
The three key components of the act are:
This leaves Alabama and South Dakota as the only states that have not enacted data breach notification legislation.
Personal Identifying Information
Under New Mexico's Data Breach Notification Act, PII means an individual's first name or first initial and last name in combination with one or more of the following data elements that relate to the individual, when the data elements are not protected through encryption or redaction or otherwise rendered unreadable or unusable:
Biometric data is defined as "a record generated by automatic measurements of an identified individual's fingerprints, voice print, iris or retina patterns, facial characteristics, or hand geometry that is used to uniquely and durably authenticate an individual's identity when the individual accesses a physical location, device, system or account."
Some states (including Illinois) have implemented or amended their own data breach notification laws to include elements such as biometric data.
Disposal of PII
Under the act, organizations must arrange for the proper disposal of records containing the PII of New Mexico residents when the records are no longer reasonably needed for business purposes.
Proper disposal means shredding, erasing or otherwise modifying the PII contained in the records to be unreadable or undecipherable.
Security Measures for Storage of PII
Organizations must implement and maintain—and contractually require their service providers and vendors to implement and maintain—reasonable security procedures and practices to protect the PII they own or license from unauthorized access, destruction, use, modification or disclosure. Unlike California, New Mexico has not yet provided guidance on what constitutes reasonable security procedures and practices. Nevertheless, all organizations should implement safeguards to protect the personal and company information they maintain.
Notification of Security Breach
In the event of a breach, the act states:
Notification to each New Mexico residents must include:
In the event of a breach affecting more than 1,000 New Mexico residents, notification must be provided to the New Mexico Attorney General and the major consumer reporting agencies within 45 calendar days following discovery of the breach. Such notice must include a copy of the notification sent to affected residents.
Notification may be delayed at the request of law enforcement or as necessary to determine the scope of the breach and restore the integrity, security and confidentiality of the system.
Notification is not required if, after an appropriate investigation, the person determines the breach "does not give rise to a significant risk of identity theft of fraud." This is known as a risk of harm trigger.
The act does not apply to a person subject to Gramm-Leach-Bliley Act (GLBA) or Health Insurance Portability and Accountability Act (HIPAA).
Under the act, the New Mexico Attorney General may bring an action for injunctive relief and award of damages for actual costs or losses, including consequential financial losses.
If a violation of the act is found to be knowing or reckless, a court may impose a civil penalty of the greater of $25,000 or, in the case of failed notification, $10 per instance of failed notification up to a maximum of $150,000.
Jason C. Gavejian is an attorney with Jackson Lewis in Morristown, N.J. © Jackson Lewis. All rights reserved. Reposted with permission.
You have successfully saved this page as a bookmark.
Please confirm that you want to proceed with deleting bookmark.
You have successfully removed bookmark.
Please log in as a SHRM member before saving bookmarks.
Your session has expired. Please log in again before saving bookmarks.
Please purchase a SHRM membership before saving bookmarks.
An error has occurred
Recommended for you
SHRM-CP/SHRM-SCP Exam Application Deadline: October 20
SHRM’s HR Vendor Directory contains over 3,200 companies