Only Alabama and South Dakota have yet to join the party . . .
As IT Governance reported, New Mexico has become the 48th state to enact a data breach notification law, with the Data Breach Notification Act. Governor Susana Martinez signed the bill on April 6th, and it went into effect on June 16th.
The law is similar to most other states' data breach laws, although it is more lenient in part. Organizations are required to notify individuals of a data breach if there has been "unauthorized acquisition" of personal data, but this isn't necessary if the organization deems that there is no "significant risk" of identity theft. This is always the giant nail on which organizations hang their hats – that there is no proof of significant risk.
If more than 1,000 individuals are affected, organizations will also have to notify the New Mexico attorney general. As with notification laws in many other states, organizations will be exempt from the act if they are already required to comply with the Gramm-Leach-Bliley Act (GLBA) or the Health Insurance Portability and Accountability Act (HIPAA).
Organizations must report a breach "in the most expedient time possible" – but no later than 45 days after discovering it. As law firm Mayer Brown writes: "In contrast, most states require service providers to notify data owners 'immediately,' and Florida and Georgia require notification by service providers within 10 days and 24 hours, respectively."
The law also includes a wider definition of personally identifiable information, including biometric data such as fingerprint records or iris scans. The only other states that include biometrics are Illinois, Iowa, Nebraska, and Wisconsin.
That 45-day time limit is extremely generous compared to the EU General Data Protection Regulation (GDPR), which will take effect in May 2018. Any organization that handles EU residents' personal data – and that includes many companies based in New Mexico and other US states – must report a data breach within 72 hours of discovering it. That's less than a third of the time that organizations in even the strictest US state have.
As the report points out, alarmingly, all signs point to a general indifference toward the GDPR in the US, with a report finding that 20% of US organizations haven't even begun to prepare for the Regulation.
E-mail: email@example.com Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology