July 4, 2020

Volume X, Number 186

July 03, 2020

Subscribe to Latest Legal News and Analysis

July 02, 2020

Subscribe to Latest Legal News and Analysis

July 01, 2020

Subscribe to Latest Legal News and Analysis

New Mexico Moves One Step Closer to Becoming the 47th State with a Breach Notification Law

46 states plus Washington, D.C. have data breach notification laws.  Alabama, Kentucky, New Mexico and South Dakota still do not have a comprehensive notification law outside of the public sector.  That may change soon though, because the New Mexico House of Representatives unanimously passed a bill on February 17, 2014, that would require companies to notify state residents of a breach of their unencrypted personal information.  The bill appears to resemble many existing state breach notification laws, and contains a number of exceptions under which companies would not be required to provide notice of a breach.

The definition of personal information is the standard definition we see in many state breach notification laws – defined as name plus another data element that could lead to identity theft or financial fraud: social security number; driver’s license number; government-issued ID; or account number, credit card number or debit card number, in combination with any required code or password that would permit access to a person’s financial account.

If the bill passes, New Mexico will join the handful of other states with specific timing provisions for notification—if the breach involves 1,000 or more residents, companies would be required to notify affected individuals within 45 days of discovering the breach, and the state attorney general (AG) within 14 days (like Vermont).

Companies can avoid notification to affected residents if there is no “significant risk of identity theft or fraud,” but when the incident involves 1,000 or more individuals, the company still must notify the state AG with a written explanation of its risk of harm analysis.  Like many other states, the bill also contains a “deemed in compliance” provision stating that companies in compliance with the federal Gramm-Leach-Bliley Act or the federal Health Insurance Portability and Accountability Act would be deemed to be in compliance with the proposed law.

At the federal level, there have been increased demands for Congress to establish a national data breach notification standard, and several bills have been introduced that would create such a standard.  Most recently, on February 4, 2014, U.S. Senators Edward Markey (D-Mass.) and Richard Blumenthal (D-Conn.) introduced the Personal Data Protection and Breach Accountability Act, which seeks to establish a federal breach notification standard and impose minimum data security requirements for companies, like the approach taken in Massachusetts with 201 C.M.R. 17.00, et seq.  We will be watching these bills closely and reporting on any further developments.

© 2020 McDermott Will & EmeryNational Law Review, Volume IV, Number 59


About this Author

Our e-Business Group is composed of lawyers in the Firm's various offices and departments around the world. The Group is led by a core team of full-time technology transaction and e-business lawyers with historic practices in this area. Given the international scope and broad range of legal issues involved in important technology transactions and online trade, McDermott Will & Emery's breadth ensures that clients have access to leading-edge advice in any of the areas pertinent to the actual or proposed transaction or activity.

Lawyers in our...

305 347 6556