Last week, New Mexico and Tennessee both passed legislation updating each state’s requirements for notifying residents following a data breach. New Mexico’s new law, H.B. 15, makes it the 48th U.S. state to enact a state data breach notification law, leaving Alabama and South Dakota as the only states that have not enacted similar laws. Tennessee’s bill, S.B. 547, amended its Identity Theft Deterrence Act of 1999 to exempt certain encrypted data from triggering notification requirements.
New Mexico’s breach notification law is similar to that of other states, with a few notable differences. Like a handful of states, the statute’s definition of Personal Identifying Information (PII) includes biometric data as well as more commonly used categories such as Social Security numbers, driver’s license numbers, or bank account or payment card information. If the breach gives “rise to a significant risk of identity theft or fraud,” the law imposes a 45-day deadline to provide notification to affected consumers. However, if a single breach affects more than 1,000 New Mexico residents, the state attorney general and major consumer reporting agencies (CRAs) must also be notified within 45 days. Further, the statute specifies the content required when notifying a New Mexico resident of a breach. In addition to details about the PII believed to have been compromised and a description of the incident, affected residents are entitled to information about their rights under the Fair Credit Reporting Act, a federal statute designed to protect the privacy of consumer report information and the accuracy of data supplied to CRAs.
Tennessee’s new legislation follows last year’s amendment to its existing statute, which imposed a 45-day notification deadline for breaches of both encrypted and unencrypted data. At the time, Tennessee became the only state with a data breach notification law that did not include an encrypted data exemption. The amendment signed into law last week restores the exemption, with the added requirement that the applied encryption must comply with the National Institute of Standards and Technology’s (NIST) Federal Information Processing Standard (FIPS) 140-2 in order to qualify for the exemption.