Earlier this month, New Mexico became the forty-eighth state to enact a data breach notification law. Only Alabama and South Dakota remain without such requirements. The Data Breach Notification Act goes into effect on July 1, 2017. Organizations that are subject to the requirements of the HIPAA breach notification standards are exempt from the statute.
There are a number of notable provisions of the New Mexico Data Breach Notification Act. The law applies to unencrypted computerized data or encrypted computerized data when the encryption key or code is also compromised. The notification requirements are not triggered unless an investigation finds that a security breach provides a significant risk of identity theft or fraud.
If an organization that does business in New Mexico determines that a security breach has occurred, notice must be made to New Mexico residents within 45 calendar days of discovery. Third-party service providers are also required to notify the data owner or licensor within 45 days of discovery of a data breach. Notice must be made to the New Mexico Attorney General and the major consumer reporting agencies if more than 1,000 New Mexico residents are notified of a breach.
The New Mexico Breach Notification Law contains a data disposal provision that requires data owners or licensors to shred, erase or otherwise make unreadable personal identifying information contained in records with it is no longer needed for business purposes.
In addition, the law requires data owner and licensors to implement and maintain reasonable security procedures and practices designed to protect personal identifying information from unauthorized access, destruction, use, modification or disclosure. Contracts with third-party service providers must require that the service provider implement and maintain security appropriate security safeguards to protect personal information.
While HIPAA covered entities and business associates are exempt from the provisions of the New Mexico Breach Notification Law, they are not completely off the hook. If an organization handles data that falls within the definition of “personal identifying information” protected under the statute, and this information is created or maintained in connection with an activity that falls outside of the protections of the HIPAA standards, the notification provisions of the New Mexico act would apply.
For example, a retailer that operates a pharmacy within a grocery or variety store and has designated itself a hybrid covered entity could find itself subject to the state’s breach law. If a security breach were to occur of the personal information maintained through the non-HIPAA covered function, the New Mexico Breach Notification Law requirements would apply to that data. The same analysis would apply to the business that served as a HIPAA business associate would be required to comply the act’s requirements to have appropriate safeguards to protected personal information for those activities that do not involve the creation or maintaining of protected health information.