|
May 3, 2017 - Last month, New Mexico became the 48th state to put a data breach notification law in place. The new law will go into effect on June 16th and will leave only Alabama and South Dakota on the roster of states not to have such a law.
The new law protects both personally identifiable information (PII) and biometric information. PII typically consists of a full or partial name combined with an address, social security number, driver's license number or date of birth. Biometric information includes fingerprints, retinal scans and other physical characteristics.
Under the new law, companies will have 45 days from the date they discover a breach to notify consumers. If a breach involves data of more than 1,000 people, companies will also be required to notify the State Attorney General of it.
The law does allow companies to make a determination about the likelihood that a data breach could lead to identity theft. Unfortunately, if they determine that identity theft is unlikely, they are exempt from making notification. This has been an issue in quite a few state data breach laws and it leads to underreporting of data breaches.
The new law also requires businesses that store consumer data to put in place "reasonable security procedures" to protect that data. But the law leaves it up to individual organizations to determine exactly what those procedures should actually entail.
byJim Malmberg
Note: When posting a comment, please sign-in first if you want a response. If you are not registered, click here. Registration is easy and free.
Follow me on Twitter:
|
Identity Theft 
