Ask Reggi Your Question Now

Reggi is the free generative AI assistance for regulatory compliance
Ask a Question

Can I avoid having a data breach response plan in New Mexico? What are the requirements?

Data Breach Response Plan Requirements in New Mexico

New Mexico has a Data Breach Notification Act [1.1] that requires any person that owns or licenses elements that include personal identifying information of a New Mexico resident to provide notification to each New Mexico resident whose personal identifying information is reasonably believed to have been subject to a security breach. Notification shall be made in the most expedient time possible, but not later than forty-five calendar days following discovery of the security breach. Notification to affected New Mexico residents is not required if, after an appropriate investigation, the person determines that the security breach does not give rise to a significant risk of identity theft or fraud.

A person that is licensed to maintain or possess computerized data containing personal identifying information of a New Mexico resident that the person does not own or license shall notify the owner or licensee of the information of any security breach in the most expedient time possible, but not later than forty-five calendar days following discovery of the breach. Notification to the owner or licensee of the information is not required if, after an appropriate investigation, the person determines that the security breach does not give rise to a significant risk of identity theft or fraud.

A person required to provide notification of a security breach shall provide that notification by United States mail, electronic notification, or a substitute notification [1.1].

Exemptions

The provisions of the Data Breach Notification Act shall not apply to a person subject to the federal Gramm-Leach-Bliley Act or the federal Health Insurance Portability and Accountability Act of 1996 [1.5].

Conclusion

If you own or license elements that include personal identifying information of a New Mexico resident, you are required to have a data breach response plan that complies with the Data Breach Notification Act. However, if you are subject to the federal Gramm-Leach-Bliley Act or the federal Health Insurance Portability and Accountability Act of 1996, you are exempted from the provisions of the Data Breach Notification Act.

Source(s):
Jurisdiction

New Mexico