While there is no federal law requiring companies to notify individuals of data breaches, South Dakota and Alabama will be the only states without data breach legislation if Gov. Susana Martinez signs New Mexico’s H.B. 15, which the state legislature passed March 16. While the bill itself applies only to New Mexico residents, passage of H.B. 15—to be known as the “Data Breach Notification Act”—could put additional pressure on the United States Congress to draft federal legislation for data breach notification, so companies can base compliance on a single standard rather than a patchwork of state laws. In either case, it adds additional requirements to that patchwork.

New Mexico’s Data Breach Notification Act, as passed by both houses of the state legislature, imposes several requirements on any “person” who “owns or licenses records containing personal identifying information of a New Mexico resident.” Those requirements include “proper disposal” of records containing personal identifying information when those records are “no longer reasonably needed for business purposes”; “implement[ing] and maintain[ing] reasonable security procedures and practices appropriate to the nature of the information” and requiring any retained services providers to do the same; breach notification “in the most expedient time possible, but not later than thirty calendar days following discovery of the security breach”; though notification is not required where, “after an appropriate investigation, the person determines that the security breach does not give rise to a significant risk of identity theft or fraud.”Continue Reading And Then There Were Two – New Mexico Set to Become 48th State to Enact Data Breach Notification Law

This post was also written by Frederick Lah.

Standards for determining whether an employee has privacy rights with respect to an employer-issued communications device continue to develop. The analysis continues to be grounded in a detailed, fact-specific analysis of what the employee has been told, and permitted to do, by the employer. Recently, the Court of Appeals for Ontario found that a high school teacher had a reasonable expectation of privacy in personal information stored on his work computer based on the facts presented.

A high school teacher was issued a laptop by the school to take home and use on weekends for his exclusive personal use. In addition to keeping some personal files on the laptop — which was protected by a password determined by the teacher — the teacher allegedly possessed sexually explicit photos of a student at the high school where he was employed. When one of the school’s computer technicians noticed an unusual volume of activity on the teacher’s laptop, he investigated the teacher’s computer as part of his duties and found the photos. Upon informing the school’s principal of the photos, the school then handed the laptop over to the police who took a mirror image of the laptop’s hard drive without obtaining a warrant. The officer believed that any data, including personal data, on the school’s laptop belonged to the school. The teacher was arrested thereafter.Continue Reading Canadian Court Finds Reasonable Expectation of Privacy on Work Computers