Effective June 16, New Mexico will be the 48th state with a PII data breach notification statute. New Mexico joins the vast majority of states, plus the District of Columbia, Puerto Rico, Guam, and the U.S. Virgin Islands, in requiring notice to affected residents of PII security breaches – as of June, only Alabama and South Dakota will lack such a law.
Like other states’ statutes, New Mexico’s new law is triggered by the residency of the affected individuals, and so companies across the country with PII of New Mexico residents must now fold the New Mexico requirements into both their PII policy definitions and their breach response protocols.
So, how does New Mexico’s new statute fit into our perplexing puzzle of PII breach notification laws?
in most respects the New Mexico statute is “middle of the road” among the various states’ laws requiring PII breach notification:
- the statute applies only to PII in computerized format, not paper media;
- encryption, redaction, and other means of rendering data unreadable or unusable are safe harbors;
- entities subject to GLBA or HIPAA are exempt;
- law enforcement can delay notifications;
- Attorney General and consumer reporting agency notifications have a trigger of over 1,000 affected residents; and
- the Attorney General’s office can enforce the statute and seek an injunction, damages, and civil penalties.
Yet in a few respects the New Mexico statute contributes to some complexities:
PII Definition Includes Biometric Data
New Mexico’s statute has a mostly traditional definition of computerized PII: name elements combined with any of SSN, driver’s license or government ID number, or account/credit card/debit card number plus access information. But New Mexico also adds biometric data as a PII combination element, thereby joining seven other states (IA, IL, NE, NC, OR, WI, and WY) that define name plus biometric data as PII. The New Mexico definition of biometric data is broad: a record generated by automatic measurements of an identified individual’s fingerprints, voice prints, iris or retina patterns, facial characteristics or hand geometry that is used to uniquely and durably authenticate an individual’s identity when the individual accesses a physical location, device, system, or account. Thus, any company that captures biometric data of residents of any of (now) eight states must ensure it has addressed the data security and data breach legal repercussions.
No Risk of Harm/Investigation Exception:
About half of the various states’ statutes contain an explicit exception to notification requirements if a good faith, reasonable, and prompt investigation supports a determination that no harm, misuse, fraud, or identity theft is likely to occur. Most of the remaining states have a similar “no harm, no foul” notion folded directly into their definitions of a security breach. But New Mexico’s statute has no risk of harm/investigation exception, and its definition of a security breach is quite broad: “the unauthorized acquisition of … computerized data … that compromises the security, confidentiality or integrity of [PII] ….” This complicates handling determinations in “no harm, no foul” incident scenarios.
Notice Contents are Prescribed
A slight majority of the states do not have statutory requirements for the specific content of PII breach notifications. But New Mexico joins 22 other jurisdictions (CA, FL, HI, IL, IA, MD, MA, MI, MO, NH, NY, NC, OR, PR, RI, SC, VA, VT, WA, WV, WI, and WY) in prescribing what must be included in notices to affected individuals. For multistate incidents including New Mexico residents, these content requirements must be added to the mix.
45 Day Deadline for Notifications – Tick Tock
The vast majority of states have no precise deadlines for issuing notifications, measured by days, but instead simply require (by various statutory language) that notifications be made in the most expedient time possible and without unreasonable delay. The few that do impose deadlines range from 10 days (PR) to 30 days (FL), 45 days (OH, RI, TN, VT, WA, and WY), or 90 days (CN). New Mexico follows this trend, imposing a not-to-exceed deadline of 45 days following discovery of the breach . Like most such provisions, the New Mexico statute also provides an exception for time as necessary to determine the scope of the security breach and to restore the data system’s integrity, security, and confidentiality. But notably, this exception does not explicitly reference any time needed to identify the affected individuals, other than its general reference to determining the security breach’s “scope.”