New Mexico Enacts Breach Notification and Data Security/Secure Disposal Law, While Tennessee Clarifies Encryption Exception

New Mexico has become the 48th state to enact a data breach notification law, which also includes data security requirements. The Data Breach Notification Act, signed by Governor Martinez on April 6, 2017, requires notification within 45 days of discovery of a security breach, or “unauthorized acquisition” of computerized personal information, subject to the needs of law enforcement. A security breach is also limited to unencrypted data or encrypted data when the decryption key is compromised. Personal data protected by the law includes Social Security numbers, driver’s license numbers, government-issued identification numbers, account, credit card or debit card number paired with the security code or other pin, and biometric data.

Under the newest state breach law, notification to affected individuals is triggered where, after an appropriate investigation, there is “a significant risk of identity theft or fraud.” When notifying more than 1,000 residents, the Attorney General and major credit reporting agencies must also be notified within the 45-day period. The law includes a unique provision where, if the breach involves credit or debit card numbers, the breach-suffering company must also notify each merchant services provider to which the business transmitted the card number within ten business days after discovering the breach. While the law does not create a private cause of action, it empowers the Attorney General to request an injunction and damages, up to a maximum of $150,000. As with many state laws, Gramm-Leach-Bliley Act and Health Insurance Portability and Accountability Act regulated entities are subject to a limited exemption.

In addition to data breach notification requirements, New Mexico enacted generally applicable information security requirements that are already common in many states. The law now requires certain disposal, contractual, and security measures for persons who own or maintain personally identifying information. Personally identifying information must be disposed of to make the information unreadable or indecipherable. Persons owning or maintaining personal information must “implement and maintain reasonable security procedures and practices” and contractually require their service providers to do the same.

Meanwhile, Tennessee recently clarified its data breach notification law on April 4, 2017. A 2016 amendment had created substantial confusion about whether a compromise of encrypted data was or was not exempt from notification requirements. That amendment removed “unencrypted” from the definition of a “breach of security of the system,” but the definition of “data breach” still included “compromise” language that could influence the analysis of encrypted data. The newest amendment unambiguously states that the law does not apply to “information that has been encrypted in accordance with the current version of the Federal Information Processing Standard (FIPS) 140-2 if the encryption key has not been acquired by an unauthorized person.”