H.B. 224, a newly introduced data breach notification bill for New Mexico, would mandate that organizations notify breached individuals within 10 days of breach discovery (unencrypted credit card data); and within 10 business days notifying the state attorney general if more than 50 NM residents are affected.
Companies operating in NM will also have additional data security and data disposal requirements, due to the bill. Enacting H.B. 224 would make New Mexico join 46 states who have data breach alert laws.
Payment Card Breach
- Within two business days: Time allowed for card issuers facing a breach to notify all the merchants “to which the credit card number or debit card number was transmitted,” according to H.B. 224.
- H.B. 224 would also set a risk of harm threshold regarding when an alert is required for card breaches.
- If the magnetic strip data or other information is revealed, yielding harm or risk of harm to the cardholder and compromise of access device data, the bill would require notification. The card issuer would not need to give approval or direction.
- Card issuers can sue for recovery of administrative costs if a card reader is breached or if there’s a problem with strip data.
Data Security and Disposal
- The bill would make companies “implement and maintain reasonable” security measures to ensure protection of personal identifying information from illegitimate access or other fraudulent action.
- Businesses would also have to include these data security standards in contracts involving “non-affiliated third parties” that they share personal information with.
- Personal data, however which way it’s contained, be disposed of such that personal identifying information would be impossible to read or decipher.
- The bill would authorize the state attorney general to seek injunctive relief and recovery of damages via court.
- Failure of a company to notify of the breach could result in harsh fines, if the bill is enacted.
- Customers could sue for damages of $100 to $300, depending on circumstances.
It may be just a matter of time before the Federal government steps in and decides PCI Standards might not fix client data protection problems. Businesses who see the writing on the wall are being proactive and making smarter investments in their customers security.
Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.
ROBERT SICILIANO, CEO of IDTheftSecurity.com is fiercely committed to informing, educating, and empowering Americans so they can be protected from violence and crime in the physical and virtual worlds. His "tell it like it is" style is sought after by major media outlets, executives in the C-Suite of leading corporations, meeting planners, and community leaders to get the straight talk they need to stay safe in a world in which physical and virtual crime is commonplace. Siciliano is accessible, real, professional, and ready to weigh in and comment at a moment's notice on breaking news.
- Data Breaches: The Insanity Continues
Robert Siciliano Identity Theft Expert The Identity Theft Resource Center Breach Report also monitors how breaches occur. This task is made more difficult by the scarcity of information provided (publicly) for approximately 1/3 of the recorded breaches. For the remainder, those events that do state how the breach occurred, malicious attacks (Hacking + Insider Theft) have
- How Data Breaches happen and how to respond
Here’s four chief ways how data breaches happen: Illegal access to information or systems. Personal Identifying Information (PII) data can be illegally accessed via technology such as computer hacking or infecting computers with viruses, Trojans or worms—leading to stolen data or malfunctioning systems. An inside job. Employees (past or present) can commit data breaches. Also, an innocent
- Hackers Target Small Business
Big companies and big government get big press when their data is breached. And when a big company is hit, those whose accounts have been compromised are often notified. With smaller businesses, however, victims are often left in the dark, regardless of the various state laws requiring notification. One reason for this is that smaller businesses
- Been Breached? A Response Plan
Should victims of a data breach be notified? This situation can be confusing due to various state laws. Certain issues must be considered, including differences among state laws. Differences include what exactly defines personally identifiable information; which agency (e.g., law enforcement, credit reporting) should be alerted; when victims should be notified; and what the notification
- Post-Data Breach Reputation Building
You WILL be hacked. Remember that mantra if you’re a business. Business leaders need to realize the effect that a data breach would have on customers and clients—an aftermath of distrust which can take a lot of time and money to rebuild. Interactions is a customer experience marketing group that released a study called “Retail’s Reality: