New Mexico is one of the few remaining states to not have a law requiring companies to notify consumers when their information is part of a data breach. This, however, might change very soon. Last Wednesday, the New Mexico Legislature passed House Bill 15, called the “Data Breach Notification Act,” sending the bill to Governor Susana Martinez for her signature.
Among other things, the act requires companies with personally identifiable information of New Mexico residents to use reasonable security procedures and practices to protect that information. The act also requires companies to notify New Mexico residents within 45 days of discovering that their information was subject to a security breach. The act’s requirements generally comport those of other states, including Massachusetts. As the bill’s sponsor, N.M. Rep. Bill Rehm, said, “This bill will remedy a gap in our existing consumer protections and put us on par with other states.” There are some notable differences with the Massachusetts law, however. For instance, the Massachusetts regulations list specific security measures and procedures companies must put in place. Massachusetts also does not provide a specific deadline for consumer notification, just stating that companies must provide notice “as soon as practicable and without unreasonable delay.”