Data Privacy Regulations

Terms of Use

This summary of regulations is provided for information purposes only.
No action based on this summary alone should be undertaken.
Each individual or entity must obtain appropriate guidance for its specific circumstances.


Did You Know?

  • Laws effective June 16, 2017
  • Reporting to State Attorney General and consumer reporting agencies may be required and must be made in 45 days
  • Specific methods of consumer notification delivery
  • Notifications must be made in 45 days
  • Data owners are responsible for reporting and notifications.
  • Other state laws, federal laws, industry regulations, and/or out-of-country laws may apply

Who Me?


New Mexico breach and notification laws may apply if you are a data collector that:

  • Owns, receives, stores, maintains, processes or otherwise is permitted to access to or licenses elements that include PII of a New Mexico resident (data owner)
  • Receives, stores, maintains, processes or otherwise is permitted to access to or licensed to maintain or possess computerized data containing PII of a New Mexico resident (data non-owner)

What is PII?


PII relevant to a breach in NM includes an individual’s first name, first initial and last name with one or more of the following:

  • Social security number;
  • Driver’s license number;
  • Government-issued identification number;
  • Account number, credit card number or debit card number in combination with any required security or access codes or passwords, etc.

Biometric data



A few applicable statutes include, but are not limited to:

Data Breach Notification Act (H.B. 15)


Chapter 57: Trade Practices and Regulations \ Article 28: Privacy Protection, 57-12B-1 through 51-72B-4 

Chapter 59A: Insurance Code \ Article 2: Office of Superintendent of Insurance 

Chapter 24: Health and Safety \ Article 14A: Health Information Systems



NM State Attorney General may bring an action on behalf of individuals and in the name of the state alleging a violation of that act.  The attorney general pursuant to the Data Breach Notification Act; the court may issue an injunction, and award damages for actual costs or losses, including consequential financial losses.

If the court determines that a person violated the Data Breach Notification Act knowingly or recklessly, the court may impose a civil penalty of the greater of twenty-five thousand dollars ($25,000) or, in the case of failed notification, ten dollars ($10.00) per instance of failed notification up to a maximum of one hundred fifty thousand dollars ($150,000).



When considering reporting requirements, it would include, but not limited to:

  • The combination of personal information breached;
  • If the data was computerized;
  • If the data was encrypted or redacted or rendered unusable;
  • If the data included any kind of key or password;
  • If it was acquired by an unauthorized person; or
  • If it materially compromises the personal information held by the data collector.


Notification obligations triggered if a security breach meets the harm threshold of posing a “significant risk of identity theft or fraud”. The notification may be delayed if law enforcement agency determines that the notification will impede a criminal investigation, or as necessary to determine the scope of the security breach and restore the integrity, security and confidentiality of the data system.  Otherwise the notification must be made not later than forty-five (45) calendar days following discovery of the security breach.

If sending more than 1,000 consumer notifications resulting from a single security breach, reporting must be no later than forty-five days to the attorney general and major consumer reporting agencies.  There are specific instructions on what should be included.


Requires detailed information and potential provision of services

The notification may only be delivered by mail or sent electronically (consistent with US Code Section 7001 of Title 15).

A substitute notice can be sent if the person demonstrates that the cost of providing the notice would exceed $100,000 or the persons to be notified exceeds 50,000, or they do not have sufficient contact information. Substitute notice may be given by email notice, conspicuous posting on the person’s website, or written notification to the office of the attorney general and major media outlets in New Mexico.

Contact the Privacy Experts at CSR