While there is no federal law requiring companies to notify individuals of data breaches, South Dakota and Alabama will be the only states without data breach legislation if Gov. Susana Martinez signs New Mexico’s H.B. 15, which the state legislature passed March 16. While the bill itself applies only to New Mexico residents, passage of H.B. 15—to be known as the “Data Breach Notification Act”—could put additional pressure on the United States Congress to draft federal legislation for data breach notification, so companies can base compliance on a single standard rather than a patchwork of state laws. In either case, it adds additional requirements to that patchwork.

New Mexico’s Data Breach Notification Act, as passed by both houses of the state legislature, imposes several requirements on any “person” who “owns or licenses records containing personal identifying information of a New Mexico resident.” Those requirements include “proper disposal” of records containing personal identifying information when those records are “no longer reasonably needed for business purposes”; “implement[ing] and maintain[ing] reasonable security procedures and practices appropriate to the nature of the information” and requiring any retained services providers to do the same; breach notification “in the most expedient time possible, but not later than thirty calendar days following discovery of the security breach”; though notification is not required where, “after an appropriate investigation, the person determines that the security breach does not give rise to a significant risk of identity theft or fraud.”Continue Reading And Then There Were Two – New Mexico Set to Become 48th State to Enact Data Breach Notification Law