Mandated Timeframe for Breach Reporting and/or Consumer Notification

Within 45 days
Laws related specifically to personal information
  • Breach Reporting & Consumer Notification
  • Protect Personal Information
  • Program for Protection/Security
  • Third Party: Specific Obligations
  • Third Party: Mandated Contracts
  • Employee Training
  • Data Disposal/Destruction
  • Risk Assessment
  • Requests for Information
Fines & Penalties

Violations of breach and notification laws from $25,000 up to $150,000

Regulation Levels
  • Breach Reporting
  • Consumer Notifications
  • Third Party Management
  • Data Protection
  • None to minimal
  • Basic Requirements
  • Comprehensive Requirements
  • Extensive Requirements
Quick Facts
  • There are specific defined requirements for notification.
  • For breaches involving more than 1,000 New Mexico residents, reporting must be made within 45 days to the office of the attorney general and major consumer reporting agencies.
  • The attorney general may bring an action on the behalf of individuals and in the name of the state alleging a violation; an injunction may be issued and/or damages awarded for actual costs or losses, including consequential financial losses.
  • Vendors are required to notify the data owner within 45 days of discovery of a data breach. The data owner will be responsible to complete the reporting and consumer notification.
  • If your breach affects residents in other states, you will need to notify those residents using that state’s rules.
Statutes and Laws
  • N.M. Stat. §§ 57-12C-1 – 57-12C-12  Data Breach Notification Act (2017)

    N.M. Stat. §§ 57-12B-1 – 57-12B-4 Privacy Protection Act (2003)

    N.M. Stat. § 59A-2-9.3  Insurance Division, Superintendent authorized and directed to promulgate privacy rules (2001)

    N.M. Stat. §§ 24-14A-1 – 24-14A-10  Health Information System Act (1989)

    N.M. Stat. §§ 14-6-1 – 14-6-3  Health and Hospital Records

BAck to map