Can I ignore consumer requests for information or deletion in New Mexico? What are the requirements?

Consumer Requests for Information or Deletion in New Mexico

In New Mexico, a person that owns or licenses records containing personal identifying information of a New Mexico resident shall arrange for proper disposal of the records when they are no longer reasonably needed for business purposes. As used in this section, “proper disposal” means shredding, erasing or otherwise modifying the personal identifying information contained in the records to make the personal identifying information unreadable or undecipherable ^[1.1].

Regarding consumer requests for information or deletion, the Inspection of Public Records Act requires a public entity to respond to a records request within fifteen days unless the request has been determined to be excessively burdensome or broad. If the request is denied, the custodian shall provide the requester with a written explanation of the denial. It is when the custodian fails to respond to a request or deliver a written explanation of the denial that the public entity is subject to damages pursuant to this section. The enforcement and damages provisions of the Inspection of Public Records Act apply in an action for the post-denial enforcement of the request. A custodian who does not deliver or mail a written explanation of denial within fifteen days after receipt of a written request for inspection is subject to an action to enforce the provisions of the Inspection of Public Records Act and the requester may be awarded damages. Damages shall not exceed one hundred dollars ($100) per day and be payable from the funds of the public body ^[3.1].

However, a person that discloses personal identifying information of a New Mexico resident pursuant to a contract with a service provider shall require by contract that the service provider implement and maintain reasonable security procedures and practices appropriate to the nature of the personal identifying information and to protect it from unauthorized access, destruction, use, modification or disclosure ^[1.3].

Moreover, a person that is required to issue notification of a security breach pursuant to the Data Breach Notification Act to more than one thousand New Mexico residents as a result of a single security breach shall notify the office of the attorney general and major consumer reporting agencies that compile and maintain files on consumers on a nationwide basis of the security breach in the most expedient time possible, and no later than forty-five calendar days, except as provided in Section 9 of the Data Breach Notification Act ^[1.4].

Therefore, it is not advisable to ignore consumer requests for information or deletion in New Mexico.

Source(s):

• [1.1] Disposal of personal identifying information.
• [3.1] Procedure for denied requests.
• [1.3] Service provider use of personal identifying information; implementation of security measures.
• [1.4] Notification to attorney general and credit reporting agencies.

Jurisdiction

New Mexico

• Privacy