New Mexico became the 48th state to enact data breach notification legislation with the Data Breach Notification Act, signed in April and effective as of June 16, 2017. Following a round of revisions that removed some of its more unusual provisions, it is generally in line with statutes found around the country. Key provisions include:

• Notification is required if the company reasonably believes that there has been “unauthorized acquisition” of personal information, unless there does not appear to be a “significant risk” of identity theft arising from the incident.
• “Personal information” triggering notification includes standard items such as social security number, driver’s license and financial account number, as well as biometric data.
• Notification is required to both individuals and the attorney general within 45 days after discovery of the incident.
• Companies must notify the New Mexico Attorney General, providing the number of New Mexico residents affected and a copy of the notification, if more than 1000 residents are affected.
• A notification designed to comply with the law in most states will comply in New Mexico so long as it includes mention of the consumer’s rights under the Fair Credit Reporting Act.

In short, compliance in New Mexico will not be too difficult given the measures already required to comply with statutes around the country. As always, however, you should consult with counsel to determine the precise requirements in each situation.

Our Security Breach Notification Chart offers a comprehensive and current summary of state laws regarding security breach notification. For further questions on state notification requirements or data breach prevention and remediation planning, please contact experienced counsel.

© 2017 Perkins Coie LLP