- A New Mexico data breach notification bill was recently passed by a state Senate Committee, and will move onto the Senate Judiciary Committee, according to the Los Alamos Daily Post.
Rep. Bill Rehm introduced House Bill 15, and explained in February when the legislation passed the House of Representatives that New Mexico was one of three states that did not have a data breach notification law. The bill would “remedy a gap in [the] existing consumer protections and put [New Mexico] on par with other states,” he told the Grant County Beat.
The bill requires individuals to be notified should their personal information be involved in a security breach, and also states that consumer reporting agencies, the Attorney General’s office, and card processors in certain circumstances be notified as well.
“A person that owns or maintains records containing personal identifying information of a New Mexico resident shall arrange for proper disposal of the records when they are no longer reasonably needed for business purposes,” the legislation reads. “As used in this section, ‘proper disposal’ means shredding, erasing or otherwise modifying the personal identifying information contained in the records to make the personal identifying information unreadable or undecipherable.”
The data breach notification bill does not account for medical information or health insurance data.
“Personal identifying information” includes an individual’s first name or first initial and last name in combination with one or more of the following:
- Social Security number
- Driver’s license number
- Government-issued identification number
- Account number, credit card number or debit card number in combination with any required security code, access code or password that would permit access to a person's financial account
- Unique biometric data, including the person's fingerprint, voice print or retina or iris image
Individual notification must also be made “in the most expedient time possible,” but not later than 30 calendar days after a security breach is discovered.
The legislation also specified that it “shall not apply to a person subject to the federal Gramm-Leach-Bliley Act or the federal Health Insurance Portability and Accountability Act of 1996.”
Should it be determined that businesses or organizations violated the legislation, they may face a civil penalty up to $25,000 or, in the case of failed notification, $10 per instance of failed notification, up to a maximum of $150,000.
“Forty-seven other states already have laws governing the protection of consumer information, and the other two states, Arkansas and South Dakota, are working on legislation as we speak,” Rehm told the Los Alamos Daily Post. “I hope the Senate will join the House in supporting this bill and bring New Mexico’s consumer protection laws into the 21st Century.”
More states are updating their data breach notification laws, and some are even starting to include medical information or health insurance data under the definition of personal information. Should that data become compromised, then individuals must be notified.
Illinois Governor Bruce Rauner signed several amendments to a data breach notification law in June 2016, with some health data security regulations going into effect in 2017.
The Personal Information Privacy Act was revised, and will now have protected personal information include health insurance and medical information. The regulation stated that organizations will be required to report data breaches if they involve an individual’s first name or initial and last name in combination with specific healthcare data.
Furthermore, health insurance information is “an individual’s health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual, or any medical information in an individual's health insurance application and claims history, including any appeals records.”
The legislation also maintained that all data collectors who report a healthcare data breach to the Department of Health and Human Services in compliance with HIPAA Rules and HITECH regulations must also submit such notifications to the state’s Attorney General within five business days of notifying the federal department.