New Mexico Set to Be 48th State with Breach Notification LawGov. Susana Martinez Expected to Sign Measure Soon
New Mexico is on the cusp of becoming the 48th state to enact a data breach notification law, which would leave Alabama and South Dakota as the only states without such a statute.
The New Mexico Senate on March 15 passed the Data Breach Notification Act, or HB 15, by a 40-0 vote and sent the bill to Gov. Susana Martinez for her signature. The House approved the bill by a 68-0 margin on Feb. 15.
A gubernatorial spokesman says Martinez is reviewing the legislation and has 20 days from passage to decide whether to approve it. The bill's sponsor, Rep. Bill Rehm, says he believes his fellow Republican will sign the measure.
What took New Mexico so long to enact a data breach notification law? Resistance from some businesses was a key factor, says Mark Medley, who runs ID Theft Resolutions, a not-for-profit organization that supports New Mexicans victimized by identity theft. "Lobbyists who didn't want it [the bill's passage] are very strong and influential in Santa Fe," Medley says.
To win passage this year, Rehm says he worked closely with business representatives, seeking compromises on specific provisions. For instance, earlier data breach notification bills that failed to win passage included a provision that breached organization had only 30 days to notify victims. The law passed this year gives organizations 45 days to issue notification.
New Mexico's law, if enacted, would require businesses operating in the state to take reasonable security procedures to safeguard personally identifiable information. Unlike Massachusetts' law, the New Mexico measure is not prescriptive, giving much latitude to businesses to decide how best to protect PII.
The measure also would require organizations to notify the state attorney general if more than 1,000 New Mexicans fell victim to a breach.
Breached organizations must notify individuals "in the most expedient time possible, but not later than 45 days following discovery of the security breach," according to an analysis of bill by the law firm Baker Hostetler. Organizations would be exempt from notification if, after an investigation, it's determined the breach didn't pose a significant risk of identity theft or fraud.
Like notification laws in many other states, organizations would be exempt from complying with the New Mexico statute if they must comply with the Gramm-Leach-Bliley Act that governs financial institutions handling private information or the Health Insurance Portability and Accountability Act that regulates patient information.
The New Mexico measure would require organizations to provide breach victims with advice on how to access personal account statements and credit reports to detect errors resulting from the security breach and also inform them of their rights under the Fair Credit Reporting and Identity Security Act.
Besides 47 states, the District of Columbia and three territories also have data breach notification laws on the books.
"No two state data breach notification laws are alike, and this can create a complicated landscape for privacy teams working to assess privacy incidents and remain compliant across multiple jurisdictions," says Alan Wall, senior counsel and global privacy officer at Radar, a company that provides online incident response management service. "The nuances of state penalties for noncompliance with data breach laws can have very real impacts on a privacy team already spread thin dealing with a data breach."
Such concerns have been behind calls for Congress to enact a federal statute to establish a single data breach notification standard that supersedes state laws. But efforts since 2008 to enact such a law have faltered (see Single US Breach Notification Law: Stalled).
A national data breach notification law would simplify reporting breaches to law enforcement, citizens and consumers because organizations would only have to follow one set of rules, rather than a patchwork of state requirements.
But a federal data breach notification requirement - at least in the eyes of some consumer advocates - could potentially weaken security safeguards found in some state laws (see Barriers to a Breach Notification Law). For example, Massachusetts' and California's data breach notification laws contain prescriptive security processes that likely would not be included in a federal law.
In testimony before Congress in 2015, Massachusetts Assistant Attorney General Sara Cable argued that pre-empting state laws could "represent significant retraction of existing protections for consumers at a time when such protections are imperative."
No legislation calling for a national data breach notification requirement has been introduced in Congress this year, according to a search of Congress.gov. "Now we play the waiting game for either state No. 49 to throw its hat into the notification ring or the federal government to pass a law that would unify notification obligations across all states," says Erich Falke, a partner at the law firm Baker Hostetler who specializes in data privacy and data protection. "I'm not holding my breath for the latter."