Skip to main content

States Take Action! New Mexico, Tennessee and Virginia Pass New Data Breach Legislation

After a quiet winter there has been significant activity in state legislatures to enact, strengthen or clarify their data breach notification statutes. The latest happenings are summarized below and we have updated our “Mintz Matrix” to reflect these new and pending laws. 

New Mexico

Last week we alerted you that, at long last, data breach legislation was sitting on the desk of New Mexico’s governor. On April 6th, Governor Susana Martinez signed the Data Breach Notification Act, which passed unanimously in the state’s House and Senate, and with the stroke of her pen she finally ended New Mexico’s unenviable status as one of only three states without a data breach notification law on the books.  We are keeping an eye on the last two outliers – Alabama and South Dakota – and will keep you up to date if we see any meaningful legislative activity in these states.

Click here for the final text of the statute and please review our previous blog post for the nitty gritty details about the legislation.  The law will go into effect on June 16, 2017.


The Tennessee legislature has been tinkering with the state’s data breach notification statute since last year and earlier this month passed an amendment to clarify some confusion arising out of its 2016 amendment.  This latest amendment clearly states that businesses experiencing a breach of encrypted computerized data do not need to notify affected residents unless the key necessary to defeat the encryption is also compromised as part of the breach. Click here for the full text of the amended statute. The amendment became effective on April 4, 2017.


In Virginia, legislators are clearly well-aware of the rampant W-2 phishing e-mails that have plagued businesses in recent years and cost many states millions of dollars as a result of payments made and investigations conducted on fraudulent tax returns. To combat this wildly successful scam, Virginia has amended its data breach notification statute to ensure that its Attorney General and Department of Taxation is aware when employers and payroll service providers experience a breach involving taxpayer identification numbers and withholding information. Click here for the full text of the amendment (see italicized language in § 18.2-186.6(M)).  The amendment will become effective on July 1, 2017.

The amended portion of the statute applies to employers or payroll service providers who experience a security breach (i.e. unauthorized access and acquisition of personal information) involving unencrypted and unredacted computerized data containing a taxpayer identification number in combination with income tax withholding information for that taxpayer. Following such a breach, and a determination that it is reasonably likely to cause identity theft or fraud, the employer or payroll service provider must notify the Attorney General and provide its name and federal employer identification number. The Attorney General will then notify Virginia’s Department of Taxation.

It is important to note that this amendment supplements the existing statute and applies only to employers and payroll service providers.


Our latest Mintz Matrix is available here for downloading and is always linked through the blog right hand navigation bar.

Our quick disclaimer: The Mintz Matrix is for informational purposes only and does not constitute legal advice or opinions regarding any specific facts relating to specific data breach incidents. You should seek the advice of experienced legal counsel (e.g., the Mintz Levin privacy team) when reviewing options and obligations in responding to a particular data security breach.

Subscribe To Viewpoints


Michael B. Katz is a Mintz corporate attorney who focuses on mergers & acquisitions, private equity transactions, and venture capital financings. He regularly assists clients with commercial contract negotiations, licensing agreements, and data privacy & security matters and advises startup and emerging companies.

Cynthia J. Larose

Member / Co-Chair, Privacy & Cybersecurity Practice

Cynthia J. Larose is Chair of the firm's Privacy & Cybersecurity Practice, a Certified Information Privacy Professional-US (CIPP-US), and a Certified Information Privacy Professional-Europe (CIPP-E). She works with clients in various industries to develop comprehensive information security programs on the front end, and provides timely counsel when it becomes necessary to respond to a data breach.