46 states plus Washington, D.C. have data breach notification laws. Alabama, Kentucky, New Mexico and South Dakota still do not have a comprehensive notification law outside of the public sector. That may change soon though, because the New Mexico House of Representatives unanimously passed a bill on February 17, 2014, that would require companies to notify state residents of a breach of their unencrypted personal information. The bill appears to resemble many existing state breach notification laws, and contains a number of exceptions under which companies would not be required to provide notice of a breach.
The definition of personal information is the standard definition we see in many state breach notification laws – defined as name plus another data element that could lead to identity theft or financial fraud: social security number; driver’s license number; government-issued ID; or account number, credit card number or debit card number, in combination with any required code or password that would permit access to a person’s financial account.
If the bill passes, New Mexico will join the handful of other states with specific timing provisions for notification—if the breach involves 1,000 or more residents, companies would be required to notify affected individuals within 45 days of discovering the breach, and the state attorney general (AG) within 14 days (like Vermont).
Companies can avoid notification to affected residents if there is no “significant risk of identity theft or fraud,” but when the incident involves 1,000 or more individuals, the company still must notify the state AG with a written explanation of its risk of harm analysis. Like many other states, the bill also contains a “deemed in compliance” provision stating that companies in compliance with the federal Gramm-Leach-Bliley Act or the federal Health Insurance Portability and Accountability Act would be deemed to be in compliance with the proposed law.
At the federal level, there have been increased demands for Congress to establish a national data breach notification standard, and several bills have been introduced that would create such a standard. Most recently, on February 4, 2014, U.S. Senators Edward Markey (D-Mass.) and Richard Blumenthal (D-Conn.) introduced the Personal Data Protection and Breach Accountability Act, which seeks to establish a federal breach notification standard and impose minimum data security requirements for companies, like the approach taken in Massachusetts with 201 C.M.R. 17.00, et seq. We will be watching these bills closely and reporting on any further developments.