A. Except as provided in Subsection C of this section, a person that owns or licenses elements that include personal identifying information of a New Mexico resident shall provide notification to each New Mexico resident whose personal identifying information is reasonably believed to have been subject to a security breach. Notification shall be made in the most expedient time possible, but not later than forty-five calendar days following discovery of the security breach, except as provided in Section 9 [57-12C-9 NMSA 1978] of the Data Breach Notification Act.

B. Notwithstanding Subsection A of this section, notification to affected New Mexico residents is not required if, after an appropriate investigation, the person determines that the security breach does not give rise to a significant risk of identity theft or fraud.

C. Any person that is licensed to maintain or possess computerized data containing personal identifying information of a New Mexico resident that the person does not own or license shall notify the owner or licensee of the information of any security breach in the most expedient time possible, but not later than forty-five calendar days following discovery of the breach, except as provided in Section 9 of the Data Breach Notification Act; provided that notification to the owner or licensee of the information is not required if, after an appropriate investigation, the person determines that the security breach does not give rise to a significant risk of identity theft or fraud.

D. A person required to provide notification of a security breach pursuant to Subsection A of this section shall provide that notification by:

(1) United States mail;

(2) electronic notification, if the person required to make the notification primarily communicates with the New Mexico resident by electronic means or if the notice provided is consistent with the requirements of 15 U.S.C. Section 7001; or

(3) a substitute notification, if the person demonstrates that:

(a) the cost of providing notification would exceed one hundred thousand dollars ($100,000);

(b) the number of residents to be notified exceeds fifty thousand; or

(c) the person does not have on record a physical address or sufficient contact information for the residents that the person or business is required to notify.

E. Substitute notification pursuant to Paragraph (3) of Subsection D of this section shall consist of:

(1) sending electronic notification to the email address of those residents for whom the person has a valid email address;

(2) posting notification of the security breach in a conspicuous location on the website of the person required to provide notification if the person maintains a website; and

(3) sending written notification to the office of the attorney general and major media outlets in New Mexico.

F. A person that maintains its own notice procedures as part of an information security policy for the treatment of personal identifying information, and whose procedures are otherwise consistent with the timing requirements of this section, is deemed to be in compliance with the notice requirements of this section if the person notifies affected consumers in accordance with its policies in the event of a security breach.

History: Laws 2017, ch. 36, § 6.

Effective dates. — Laws 2017, ch. 36 contained no effective date provision, but, pursuant to N.M. Const., art. IV, § 23, was effective June 16, 2017, 90 days after the adjournment of the legislature.