Quick Facts
Breach Based on Harm Threshold: Yes
Deadline for Consumer Notice: Most expedient time possible, but not later than 45 days
Government Notification Required: Yes, if >1,000 residents notified
Scope of this Summary:
Notification requirements applicable to entities that own or license elements that include covered info on a resident. Some types of businesses may be exempt from some or all of these requirements.
Risk of Harm Threshold
Notification not required if, after an appropriate investigation, the covered entity determines that the breach does not give rise to a significant risk of identity theft or fraud.
Breach Defined
Unauthorized acquisition that compromises the security, confidentiality, or integrity of the covered info, excluding certain good-faith acquisitions by employees or agents.
Encryption Safe Harbor
Statute does not apply to covered info that is encrypted, redacted, or otherwise rendered unreadable or unusable, so long as the encryption key was not accessed or acquired.
Form of Covered Info
Electronic Only
Covered Information
An individual's first name or first initial and last name in combination with one or more of the following data elements:
- Social Security number.
- Driver's license number.
- Government-issue identification number.
- Account number, credit card number or debit card number in combination with any required security code, access code or password that would permit access to a person's financial account.
- Biometric data, meaning a record generated by automatic measurements of an identified individual's fingerprints, voice print, iris or retina patterns, facial characteristics or hand geometry that is used to uniquely and durably authenticate an individual's identity when the individual accesses a physical location, device, system or account.
Consumer Notice Timing
Must be made in the most expedient time possible but no later than 45 calendar days following discovery of the breach, subject to the delay provision discussed below.
Consumer Notice Method
By written notice (delivered by US mail) or electronic notice (if primary method of communication with resident or if consistent with E-SIGN). Substitute notice is available if certain criteria are satisfied.
Consumer Notice Content
Notifications to New Mexico residents shall contain:
- The name and contact information of the notifying person.
- A list of the types of personally identifying information that are reasonably believed to have been the subject of a security breach, if known.
- The date of the security breach, the estimated date of the breach or the range of dates within which the security breach occurred, if known.
- A general description of the security breach incident.
- The toll-free telephone numbers and addresses of the major Consumer Reporting Agencies.
- Advice that directs the recipient to review personal account statements and credit reports, as applicable, to detect errors resulting from the security breach.
- Advice that informs the recipient of the notification of the recipient's rights pursuant to the federal Fair Credit Reporting Act.
Delayed Notice
Notification may be delayed (1) if law enforcement determines that notification will impede a criminal investigation; or (2) as necessary to determine the scope of the breach and restore the integrity, security, and confidentiality of the system.
Government Notice
If more than 1,000 residents are notified, must notify AG in the most expedient time possible but no later than 45 days after discovery of breach, unless delayed notice provision applies. Must include number of residents who were notified and a copy of the notice.
Consumer Reporting Agency Notice
If more than 1,000 residents are notified, must notify major Consumer Reporting Agencies in the most expedient time possible but no later than 45 days, unless delayed notice provision applies.
Exceptions for Other Laws
The statute exempts from compliance the following entities: Any person who is subject to the federal Gramm-Leach-Bliley Act (GLBA). Any person who is subject to the federal Health Insurance Portability and Accountability Act (HIPAA).
Third-Party Notice
If you maintain or possess covered info on behalf of another entity, you must notify it in the most expedient time possible, but no later than 45 days following discovery of a breach, subject to the harm threshold and delayed notice provisions.
Private Right of Action
The New Mexico general breach notification statute does not provide for a private right of action.
Potential Penalties
Violations may result in civil penalties.
This summary is for informational purposes only. It provides general information and not legal advice or opinions regarding specific facts. Additional requirements or conditions may apply to any or all provisions referenced herein. For more information about the state data breach notification laws or other data security matters, please seek the advice of counsel.
Last revised on June 15, 2023