New Mexico needs a data breach notification law, but is this the right one?

Will New Mexico finally join the ranks of states that require data breach notification or will it remain one of only three holdouts? Dan Mayfield reports that Rep. Bill Rehm has introduced a bill to require businesses to notify consumers in the event of a breach.

Rehm tried to pass a similar bill last year but got pushback from some in the industry, he said. The new compromise bill is one he worked on with industry partners over the summer, he said.

Feel free to translate “industry partners” as “lobbyists.”

Analysis of HB 217

HB 217, the Data Breach Notification Act, was introduced on January 28, and is scheduled for hearing by the House Judiciary Committee on February 13. The bill only applies to computerized data, and uses an “acquisition” trigger for breach notification. The bill’s definition of “personal information” does not include username and password (login credentials).

On a positive note, the bill includes disposal requirements:

A person that owns or maintains records containing personal identifying information of a New Mexico resident shall arrange for proper disposal of the records when they are no longer reasonably needed for business purposes. As used in this section, “proper disposal” means shredding, erasing or otherwise modifying the personal identifying information contained in the records to make the personal identifying information unreadable or undecipherable.

Thus, although the breach notification requirements would not appear to apply to paper records, the disposal provisions would apply.

The bill also requires reasonable security, stating that

a person that owns or maintains personal identifying information of a New Mexico resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal identifying information from unauthorized access, destruction, use, modification or disclosure.

Significantly, entities are also required to have contracts with service providers that attest that the service provider will similarly provide reasonable and appropriate security.

If breach notification is required, it must be made expeditiously, but no later than 45 days after discovery of the breach. Except, of course, when notification isn’t required. The bill exempts those covered by HIPAA or GLBA. But significantly, it also contains an exemption that what was probably one of the big compromises in the bill:

Notwithstanding Subsection A of this section, notification to affected New Mexico residents is not required if, after an appropriate investigation, the person determines that the security breach does not give rise to a significant risk of identity theft or fraud and, for such breaches that affect more than one thousand New Mexico residents, the person provides a written explanation of the determination to the attorney general.

Notification may be delayed at the request of law enforcement or if the entity needs more time to determine the scope of the breach, or secure or restore its system.

Notification to the attorney general is also required under some circumstances, and the attorney general can pursue suspected violations of the law.

Interestingly, the bill provided an incentive/safe harbor for merchants to be PCI-DSS compliant (or industry standards compliant) by inserting a provision that card issuers may file civil complaints against merchant service providers whose retention of access device data constitutes a breach of access device data. if the card issuer prevails, a court may award them fees for (1) canceling or reissuing an access device; (2) stopping payments or blocking financial transactions to protect any account of the cardholder; (3) closing, reopening or opening any affected financial institution account of a cardholder; (4) refunding or crediting a cardholder for any financial transaction that the cardholder did not authorize and that occurred as a result of the breach; or (5) notifying affected cardholders.

I day “provided” because that section of the bill never made it out of the House Business & Employment Committee, who passed a substitute bill without that section.

About the author: Dissent

Comments are closed.