As reported by Bank Info Security, Gov. Susana Martinez signed legislation on April 6th making New Mexico the 48th state to enact a data breach notification law. The law takes effect on June 16.
Alabama and South Dakota are now the only states without a data breach notification law.
The New Mexico statute "follows the same general structure of many of the breach notification laws in other states," privacy lawyer Jason Gavejian says. "Importantly, the definition of personal identifying information under New Mexico's Data Breach Notification Act includes biometric data."
Only a handful of states including Illinois, Iowa, Nebraska and Wisconsin define PII to include biometric data, according to the law firm Mayer Brown LLP.
An analysis of the new statute by Mayer Brown says New Mexico deviates in a few ways from what is typically required by most other states data breach notification laws. "For example," the analysis says, "a service provider that processes data on behalf of a data owner must notify the owner of a breach 'in the most expedient time possible,' but not later than 45 days following discovery of the breach. In contrast, most states require service providers to notify data owners 'immediately,' and Florida and Georgia require notification by service providers within 10 days and 24 hours, respectively."
New Mexico's law requires businesses operating in the state to take reasonable security procedures to safeguard personally identifiable information. Unlike Massachusetts' law, the New Mexico measure is not prescriptive, giving much latitude to businesses to decide how best to protect PII.
The measure also requires organizations to notify the state attorney general if more than 1,000 New Mexicans were victims of a breach.
Like notification laws in many other states, organizations would be exempt from complying with the New Mexico statute if they must comply with the Gramm-Leach-Bliley Act that governs financial institutions handling private information or the Health Insurance Portability and Accountability Act that regulates patient information.
Alabama and South Dakota, are you two competing to be the last state to protect your residents?
E-mail: firstname.lastname@example.org Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology