What New Mexico Companies Need to Know About the State's Cybersecurity Law
In 2017, the New Mexico legislature significantly changed the manner in which New Mexico companies must protect, transfer, secure, and dispose of documents containing "personal identifying information" (PII). The new law, the Data Breach Notification Act, also requires covered entities to provide notice to individuals if their PII is compromised through a security breach. The Act empowers the New Mexico Attorney General to enforce these new obligations and allows the Attorney General to seek injunctive relief and monetary damages.
Perhaps the most notable requirement is that individuals and organizations that own or license PII of a New Mexico resident are now required to "implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal identifying information from unauthorized access, destruction, use, modification, or disclosure."
The Act defines personal identifying information as an individual's first name or first initial and last name combined with a social security number, driver's license number, government-issued identification number, biometric data, or an account number, credit card number, or debit card number in combination with any required security code, access code, or password that would permit access to a person's financial account. "Biometric data" is defined to include items such as fingerprints, voice prints, iris scans, facial characteristics, and hand geometry.
The takeaway: any company with employee or customer records containing these data elements is subject to the requirement to implement reasonable security practices and procedures.
Unfortunately, the Act does not define what constitutes reasonable security practices and procedures. This is not uncommon—many states that have enacted similar legislation have failed to provide such guidance. In the absence of statutory guidance, New Mexico entities should look to analogous laws and regulations, such as HIPAA's Security Rule, the Gramm-Leach-Bliley Act's Safeguards Rule, Massachusetts' data security regulations, and the New York Department of Financial Services Cybersecurity Regulations. For example, depending on the size of the entity and the amount of PII it has, entities should consider preparing written information-security and cyber-incident response plans, creating a data map, performing a risk assessment, and implementing appropriate employee policies and administrative safeguards, among other things.
Also of note is that the Act requires entities that disclose PII to a "service provider" to contractually require the service provider to implement and maintain reasonable security procedures and practices. "Service provider" is broadly defined as "any person that receives, stores, maintains, licenses, processes, or otherwise is permitted access to" PII through its services. That definition is likely to include more commonly thought-of service providers such as payroll processors, but companies also should consider whether storing PII with a cloud-based service provider would trigger this provision in the absence of guidance on what constitutes "reasonable" procedures and practices in this context. Examples of relevant contractual terms include requiring entities to maintain confidentiality of the PII, to only use PII for a specific purpose, and to not share it with third parties. Contracts also can require service providers to implement information security procedures such as encryption of the data in transit (e.g., email or stored on thumb drives) and at rest (e.g., stored on a server) as well as access controls and data segregation. Companies that frequently disclose PII to service providers should consider creating a vendor questionnaire and form of contractual terms to streamline this process and ensure that PII is adequately protected across different service providers.
The Act also requires entities to properly dispose of records containing PII when those records are no longer needed for business purposes. To properly dispose of such records, entities should take steps to prevent disclosure of PII, such as shredding paper records or erasing electronic records.
Finally, the Act requires entities to notify New Mexico residents if PII is subject to a security breach. Entities that possess or maintain PII that they do not own (e.g., a payroll vendor or cloud service provider) must notify the owner of the information if they suffer a security breach. In both instances, notice must be provided no later than 45 calendar days following discovery of the breach.
The Act creates an exception for providing notice if the data was encrypted (unless the encryption key also was compromised). That provision is significant because it allows entities to take steps today to encrypt data in transit and at rest to avoid the expense of providing notice if (and when) there is a breach. Considering that providing notice can easily cost tens of thousands of dollars, this is a step that can pay substantial dividends down the road.
The Act also provides that an entity does not need to provide notice if an "appropriate investigation" determines that the security breach does not give rise to a significant risk of identity theft or fraud. However, entities should keep in mind that it can take weeks to perform such an investigation, which may leave little time to provide notice within the 45-day requirement if the investigation does not yield a positive result. To avoid this fire drill, entities should consider implementing a cyber-incident response plan and identifying and vetting third-party vendors before a breach. Those vendors should include a qualified computer forensic investigator, outside privacy/cybersecurity counsel, mailing/call center provider, and identity theft monitoring supplier.
In the event that notice is required, the Act specifies what the notice must contain, such as a description of the security breach, the types of PII that were compromised, and when the breach occurred.
Ultimately, New Mexico entities should carefully consider how these laws apply to their specific business and what measures must be taken to ensure compliance.