Click here to review final text of state statute
Information Covered / Important Definitions
Personal information of New Mexico residents.
Definition includes biometric data.
“Biometric Data” means a record generated by automatic measurements of an identified individual's fingerprints, voice print, iris or retina patterns, facial characteristics or hand geometry that is used to uniquely and durably authenticate an individual's identity when the individual accesses a physical location, device, system, or account.
“Encrypted” means rendered unusable, unreadable, or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security.
“Security Breach” means the unauthorized acquisition of unencrypted computerized data, or of encrypted computerized data and the confidential process or key used to decrypt the encrypted computerized data, that compromises the security, confidentiality, or integrity of personal identifying information maintained by a person.
“Service Provider” means any person that receives, stores, maintains, licenses, processes, or otherwise is permitted access to personal identifying information through its provision of services directly to a person that is subject to regulation.
Covered Entities* / Third Party Recipients
Subject to statute:
Any person that owns or licenses computerized data that includes personal information.
Third party recipients:
A third party covered entity that maintains computerized data containing personal information that the covered entity does not own or license must notify the owner or licensee of any security breach involving the personal information in the most expedient time possible but not later than forty-five (45) days following determination of the breach unless the third party covered entity concludes, after an appropriate investigation, that the security breach does not give rise to a significant risk of identity theft or fraud.
Notice Procedures & Timing / Other Obligations
Written or electronic notice must be provided to New Mexico residents whose personal information is reasonably believed to have been subject to a security breach in the most expedient time possible but not later than forty-five (45) days following the determination of the breach, unless a law enforcement agency determines that notice will impede a criminal investigation (in which case notification is delayed until authorized by law enforcement).
- Specific content requirements prescribed by statute for notice to individuals.
- Substitute notice is available by means described in the statute if costs to exceed $100,000, affected class exceeds 50,000 persons, or covered entity has insufficient contact information.
- Notice not required if the covered entity responsible for the data concludes after a reasonable investigation that the security breach does not give rise to a significant risk of identity theft or fraud.
Any covered entity that must notify more than 1,000 New Mexico residents of a single security breach is also required to notify major consumer reporting agencies in the most expedient time possible but not later than forty-five (45) days following determination of the breach.
A covered entity must ensure proper disposal of records containing personal information when they are no longer reasonably needed for business purposes by means of shredding, erasing or otherwise modifying the personal information contained in the records to make it unreadable or undecipherable.
A covered entity must implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.
A covered entity that discloses personal information of New Mexico residents to a service provider must have a contract in place with the service provider requiring reasonable security procedures and practices appropriate to the nature of the personal information and to protect it from unauthorized access, destruction, use, modification or disclosure.
Encryption Safe Harbor / Other Exemptions
Encryption Safe Harbor:
Statute not applicable if the personal information that was acquired by an unauthorized individual is encrypted.
Safe harbor not available if the confidential process or key is compromised together with the encrypted data.
Exemption for good faith acquisition of personal information by an employee or agent of covered entity for a legitimate business purpose so long as personal information is not subject to further unauthorized disclosure.
A covered entity is deemed in compliance with the New Mexico statute if it maintains and complies with its own notification procedures as part of an information security policy and whose procedures are consistent with the timing requirements of the New Mexico statute.
A covered entity that is subject to GLBA or HIPAA is exempt from New Mexico’s statute.
Notification to Regulator / Waiver
Attorney general must be notified not later than forty-five (45) days after determination of a security breach if more than 1,000 New Mexico residents are affected.
Notification must include the number of New Mexico residents affected and a copy of the notification letter.
A determination of no likelihood of harm: Does not require notification to Attorney General.
Attorney general may bring action to seek injunctive relief and award of damages for actual costs or losses, including consequential financial losses.
If a court determines that a covered entity violated the statute knowingly or recklessly, the court may impose a civil penalty of up to $25,000 or $10.00 per instance of failed notification up to a maximum of $150,000.
Private Cause of Action / Enforcement
Private Cause of Action: No.
* Note: Please refer to individual state statutes for a complete list of covered entities as the list of legal and commercial entities described in this chart as “subject to statute” in most cases is not exhaustive. Please also note that rules applicable to state agencies, government bodies and other public institutions are not discussed in this chart.
Click here to review final text of state statute