New Mexico Statutes § 57-12C-1 et seq
Type of Data Covered: Computerized or electronic data.
Is Breach Defined?
“security breach” means the unauthorized acquisition of unencrypted computerized data, or of encrypted computerized data and the confidential process or key used to decrypt the encrypted computerized data, that compromises the security, confidentiality or integrity of personal identifying information maintained by a person. “Security breach” does not include the good-faith acquisition of personal identifying information by an employee or agent of a person for a legitimate business purpose of the person; provided that the personal identifying information is not subject to further unauthorized disclosure."
When is notice required?
Notice is required for all affected residents "...in the most expedient time possible, but not later than forty-five calendar days following discovery of the security breach..." except for law enforcement delays or delays to determine scope and restore integrity. Notice may be written, electronic, or via "substitute notice" procedures, depending on circumstances, and must include all of the items in § 57-12C-7. Any breach affecting over 1,000 residents triggers reporting requirements to consumer credit agencies and the Attorney General.
What are the penalties for non-compliance?
Importantly, the penalties below may be invoked for violations of the security standards and record disposal standards that are also included in the statute. All violations have their own section of the law, § 57-12C-11, which reads as follows:
"A. When the attorney general has a reasonable belief that a violation of the Data Breach Notification Act has occurred, the attorney general may bring an action on the behalf of individuals and in the name of the state alleging a violation of that act.
B. In any action filed by the attorney general pursuant to the Data Breach Notification Act, the court may:
(1) issue an injunction; and
(2) award damages for actual costs or losses, including consequential financial losses.
C. If the court determines that a person violated the Data Breach Notification Act knowingly or recklessly, the court may impose a civil penalty of the greater of twenty-five thousand dollars ($25,000) or, in the case of failed notification, ten dollars ($10.00) per instance of failed notification up to a maximum of one hundred fifty thousand dollars ($150,000)."