51ST LEGISLATURE - STATE OF NEW MEXICO - SECOND SESSION, 2014



Similar documents
H 6191 SUBSTITUTE A AS AMENDED ======= LC02663/SUB A/2 ======= STATE OF RHODE ISLAND IN GENERAL ASSEMBLY JANUARY SESSION, A.D.

S 0134 SUBSTITUTE B ======== LC000486/SUB B/2 ======== S T A T E O F R H O D E I S L A N D

January An Overview of U.S. Security Breach Statutes

Michie's Legal Resources. This part shall be known and may be cited as the Tennessee Identity Theft Deterrence Act of [Acts 1999, ch. 201, 2.

CONNECTICUT IDENTITY THEFT RANKING BY STATE: Rank 19, 68.8 Complaints Per 100,000 Population, 2409 Complaints (2007) Updated November 28, 2008

Security Breaches Under the NC Identity Theft Protection Act: Basic Information for Local Health Departments

SENATE FILE NO. SF0065. Sponsored by: Senator(s) Johnson and Case A BILL. for. AN ACT relating to consumer protection; providing for

PLEASE READ. The official text of New Jersey Statutes can be found through the home page of the New Jersey Legislature

(1) regulate the storage, retention, transmission, and security measures for credit card, debit card, and other payment-related data;

Client Advisory October Data Security Law MGL Chapter 93H and 201 CMR 17.00

CHAPTER 226. C.56:11-44 Short title. 1. This act shall be known and may be cited as the "Identity Theft Prevention Act."

KRS Chapter 61. Personal Information Security and Breach Investigations

BUSINESS AND COMMERCE CODE PERSONAL IDENTITY INFORMATION UNAUTHORIZED USE OF IDENTIFYING INFORMATION

COLORADO IDENTITY THEFT RANKING BY STATE: Rank 8, 89.0 Complaints Per 100,000 Population, 4328 Complaints (2007) Updated November 28, 2008

Comparison of US State and Federal Security Breach Notification Laws. Current through August 26, 2015

FEDERAL AND STATE BREACH NOTIFICATION LAWS FOR CALIFORNIA

DATA BREACH CHARTS (Current as of December 31, 2015)

HIPAA BUSINESS ASSOCIATE AGREEMENT

MARYLAND IDENTITY THEFT RANKING BY STATE: Rank 10, 85.8 Complaints Per 100,000 Population, 4821 Complaints (2007) Updated January 29, 2009

Disclaimer: Template Business Associate Agreement (45 C.F.R )

OREGON IDENTITY THEFT RANKING BY STATE: Rank 20, 68.1 Complaints Per 100,000 Population, 2552 Complaints (2007) Updated January 10, 2009

IDENTITY THEFT IN SOUTH CAROLINA: 2014 UPDATE. Marti Phillips, Esq. Director, Identity Theft Unit South Carolina Department of Consumer Affairs

ADMINISTRATIVE REGULATION EFFECTIVE DATE: 1/1/2016

Community First Health Plans Breach Notification for Unsecured PHI

PENNSYLVANIA IDENTITY THEFT RANKING BY STATE: Rank 14, 72.5 Complaints Per 100,000 Population, 9016 Complaints (2007) Updated January 29, 2009

MASSACHUSETTS IDENTITY THEFT RANKING BY STATE: Rank 23, 66.5 Complaints Per 100,000 Population, 4292 Complaints (2006) Updated January 17, 2009

CYBERSECURITY: THREATS, SOLUTIONS AND PROTECTION. Robert N. Young, Director Carruthers & Roth, P.A. rny@crlaw.com Phone: (336)

North Carolina General Statutes Chapter 75 Monopolies, Trusts, and Consumer Protection Article 2A Identity Theft Protection Act

Business Associate Agreement Involving the Access to Protected Health Information

HIPAA PRIVACY AND SECURITY RULES BUSINESS ASSOCIATE AGREEMENT BETWEEN. Stewart C. Miller & Co., Inc. (Business Associate) AND

GENERAL ASSEMBLY OF NORTH CAROLINA SESSION 2005 H 2 HOUSE BILL 629 Committee Substitute Favorable 5/18/05

a. Credit to be used primarily for personal, family, or household purposes. c. Any other purpose authorized under 15 U.S.C. 168l(b).

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT

Infinedi HIPAA Business Associate Agreement RECITALS SAMPLE

BUSINESS ASSOCIATE AGREEMENT

Healthcare Practice. Breach Notification Requirements Under HIPAA/HITECH Act and Oregon Consumer Identity Theft Protection Act. Oregon.

NC General Statutes - Chapter 75 Article 2A 1

HIPAA and the HITECH Act Privacy and Security of Health Information in 2009

FORM OF HIPAA BUSINESS ASSOCIATE AGREEMENT

Model Business Associate Agreement

BUSINESS ASSOCIATE AGREEMENT Tribal Contract

TITLE 81. BANKS AND FINANCIAL INSTITUTIONS CHAPTER 22. MISSISSIPPI DEBT MANAGEMENT SERVICES ACT [REPEALED EFFECTIVE JULY 1, 2013]

CMA BUSINESS ASSOCIATE AGREEMENT WITH CMA MEMBERS

BUSINESS ASSOCIATE ADDENDUM

SAMPLE BUSINESS ASSOCIATE AGREEMENT

Updated HIPAA Regulations What Optometrists Need to Know Now. HIPAA Overview

Chapter No. 911] PUBLIC ACTS, CHAPTER NO. 911 HOUSE BILL NO. 3403

Terms and Conditions Relating to Protected Health Information ( City PHI Terms ) Revised and Effective as of September 23, 2013

Business Associate Agreement

CHAPTER 172. C.56:11-28 Short title. 1. This act shall be known and may be cited as the "New Jersey Fair Credit Reporting Act."

Selected Text of the Fair Credit Reporting Act (15 U.S.C v) With a special Focus on the Impact to Mortgage Lenders

BUSINESS ASSOCIATE AGREEMENT TERMS

BUSINESS ASSOCIATE AGREEMENT. Business Associate. Business Associate shall mean.

Reporting of Security Breach of Protected Health Information including Personal Health Information Hospital Administration

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT ( BAA )

Legislative Language

Substitute Senate Bill No Public Act No AN ACT CONCERNING EMPLOYEE ONLINE PRIVACY.

SECTION-BY-SECTION ANALYSIS

CERTIFICATION OF ENROLLMENT ENGROSSED SECOND SUBSTITUTE HOUSE BILL Chapter 151, Laws of st Legislature 2010 Regular Session

New York Consolidated Law Service General Business Law Article 25 - Fair Credit Reporting Act

M E M O R A N D U M. Definitions

Healthcare Practice. HIPAA/HITECH Act vs. Oregon Consumer Identity Theft Protection Act. February 2010

The ReHabilitation Center Buffalo Street. Olean. NY

BUSINESS ASSOCIATE AGREEMENT

Articles. Three Large States Revise Their Security Breach Notification Laws and Texas Applies Its Law to Residents of Some Other States to Boot

GENERAL ASSEMBLY OF NORTH CAROLINA SESSION 2005 SESSION LAW SENATE BILL 1048

Data Access Policy for Members of the Public (Minnesota Statutes, section 13.03, subdivision 2)

HIPAA BUSINESS ASSOCIATE AGREEMENT

Bill Payer Services Agreement

Regular Session, ACT No To amend and reenact R.S. 9:3573.1, (A), (1), (8), (9) and (10), ,

HSHS BUSINESS ASSOCIATE AGREEMENT BACKGROUND AND RECITALS

STANDARD ADMINISTRATIVE PROCEDURE

CONSOLIDATED COMMUNITY CREDIT UNION ONLINE BILL PAY BILL PAYMENT AGREEMENT & DISCLOSURES

COMPLIANCE ALERT 10-12

4. Proper identification has the meaning ascribed to it in 15 U.S.C., Section 1681h(a)(1); and

Privacy Data Loss. Privacy Data Loss. Identity Theft. The Legal Issues

BUSINESS ASSOCIATE AGREEMENT

SENATE FILE NO. SF0083. Senator(s) Peterson and Representative(s) Harvey A BILL. for. AN ACT relating to Medicaid; creating the Wyoming Medicaid

What follows are various form letters that can be adapted to your

HIPAA Privacy Breach Notification Regulations

Chapter No. 367] PUBLIC ACTS, CHAPTER NO. 367 HOUSE BILL NO By Representatives Briley, Hargett, Pleasant

WISCONSIN IDENTITY THEFT RANKING BY STATE: Rank 15, Complaints Per 100,000 Population, 9852 Complaints (2007) Updated January 16, 2009

Health Partners HIPAA Business Associate Agreement

COLUMBIA CREDIT UNION ELECTRONIC FUNDS TRANSFERS AGREEMENT AND DISCLOSURE Business Accounts

ACCG Identity Theft Prevention Program. ACCG 50 Hurt Plaza, Suite 1000 Atlanta, Georgia (404) (404)

HOUSE BILL NO. HB0064. Sponsored by: Representative(s) Zwonitzer, Dv. A BILL. for. AN ACT relating to consumer protection; establishing the

Shipman & Goodwin LLP. HIPAA Alert STIMULUS PACKAGE SIGNIFICANTLY EXPANDS HIPAA REQUIREMENTS

CALIFORNIA FALSE CLAIMS ACT GOVERNMENT CODE SECTION

1. LIMITATIONS ON ACCESS TO, OR DISCLOSURE OF, PERSONALLY IDENTIFIABLE INFORMATION.

Texas Security Freeze Law

BUSINESS ASSOCIATE AGREEMENT

IDENTITY THEFT: DATA SECURITY FOR EMPLOYERS. Boston, MA Richmond, Virginia Tel. (617) Tel. (804)

BUSINESS ASSOCIATE AGREEMENT

P.L. 2005, c.226 Approved September 22, 2005

Limited Data Set Data Use Agreement

VISA CLASSIC CONSUMER CREDIT CARD AGREEMENT

HIPPA and HITECH NOTIFICATION Effective Date: September 23, 2013

SaaS. Business Associate Agreement

Transcription:

HOUSE BILL 1ST LEGISLATURE - STATE OF NEW MEXICO - SECOND SESSION, INTRODUCED BY William "Bill" R. Rehm AN ACT RELATING TO CONSUMER PROTECTION; CREATING THE DATA BREACH NOTIFICATION ACT; REQUIRING NOTIFICATION TO PERSONS AFFECTED BY A SECURITY BREACH INVOLVING PERSONAL IDENTIFYING INFORMATION; REQUIRING SECURE STORAGE AND DISPOSAL OF DATA CONTAINING PERSONAL IDENTIFYING INFORMATION; REQUIRING NOTIFICATION TO CONSUMER REPORTING AGENCIES, THE OFFICE OF THE ATTORNEY GENERAL AND CARD PROCESSORS IN CERTAIN CIRCUMSTANCES; PROVIDING AN ACTION FOR CIVIL LIABILITY BY CONSUMERS; PROVIDING AN ACTION FOR CIVIL LIABILITY BY CARD ISSUERS FOR A BREACH OF ACCESS DEVICE DATA; PROVIDING CIVIL PENALTIES. BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF NEW MEXICO: SECTION 1. [NEW MATERIAL] SHORT TITLE.--This act may be cited as the "Data Breach Notification Act". SECTION. [NEW MATERIAL] DEFINITIONS.--As used in the.0.

Data Breach Notification Act: A. "access device" means a credit card, debit card or other commercial instrument a cardholder receives from a card issuer for the purpose of electronically conducting a financial transaction; B. "access device data" means: (1) a cardholder account number printed or embossed on an access device; () the contents of a magnetic stripe, including its tracks of data, a microprocessor chip or any other mechanism for storing electronically encoded information in an access device; () a service code; () a card verification value, card authentication value, card validation code or card security code for the access device; or () a personal identification number for the access device; C. "authorization process" means the verification of access device data and the verification of sufficiency of funds in a credit line or a financial institution account of a cardholder for completion of a financial transaction; D. "breach of access device data" means the retention of an unencrypted cardholder account number or unencrypted service code or the retention of a card.0. - -

verification value, card authentication value, card validation code, card security code or personal identification number by a merchant services provider after the conclusion of the authorization process: (1) without the approval or direction of the card issuer; () resulting in the compromised security and confidentiality of access device data; and () creating a material risk of harm or actual harm to a cardholder; E. "card issuer" means a financial institution that issues an access device; F. "cardholder" means a person to whom an access device has been issued by a card issuer; G. "encryption" means the use of an algorithmic process to transform data into a form in which data elements are rendered unusable without the use of a confidential process or key; H. "financial institution" means an insured state or national bank, a state or federal savings and loan association or savings bank or a state or federal credit union; I. "financial transaction" means an interaction between two or more persons, by mutual agreement, involving a simultaneous creation or liquidation of a financial asset and the counterpart liability or a change in ownership of a.0. - -

financial asset or an assumption of a liability; J. "merchant services" means processing, transmitting, retaining or storing access device data to facilitate a financial transaction that affects a cardholder's account; K. "merchant services provider" means a person that engages in merchant services on the person's own behalf or for the benefit of another person; L. "personal identifying information": (1) means information that alone or in conjunction with other information identifies a person, including the person's name, address, telephone number, driver's license number, government-issued identification number, social security number, date of birth, place of employment, mother's maiden name, demand deposit account number, checking or savings account number, credit card or debit card number, personal identification number, electronic identification code, automated or electronic signature, passwords or any other numbers or information that can be used to obtain access to a person's financial resources, obtain identification, act as identification or obtain goods and services; and () does not mean information that is lawfully obtained from publicly available sources or from federal, state or local government records lawfully made available to the.0. - -

general public; and M. "security breach" means the unauthorized acquisition of computerized data that compromises the security, confidentiality or integrity of personal identifying information maintained by a person. "Security breach" does not include the good faith acquisition of personal information by an employee or agent of a person for a legitimate business purpose of the person; provided that the personal identifying information is not subject to further unauthorized disclosure. SECTION. [NEW MATERIAL] DISPOSAL OF PERSONAL IDENTIFYING INFORMATION.--A person that owns or maintains records containing personal identifying information of a New Mexico resident shall dispose or arrange for the disposal of the records when they are no longer to be retained. Disposal shall be accomplished by shredding, erasing or otherwise modifying the personal identifying information contained in the records to make the personal identifying information unreadable or undecipherable. SECTION. [NEW MATERIAL] SECURITY MEASURES FOR STORAGE OF PERSONAL IDENTIFYING INFORMATION.--A person that owns or maintains personal identifying information of a New Mexico resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal identifying information from unauthorized access, destruction, use, modification or.0. - -

disclosure. SECTION. [NEW MATERIAL] NON-AFFILIATED THIRD-PARTY USE OF PERSONAL IDENTIFYING INFORMATION--IMPLEMENTATION OF SECURITY MEASURES.--A person that discloses personal identifying information of a New Mexico resident pursuant to a contract with a non-affiliated third party shall require by contract that the non-affiliated third party implement and maintain reasonable security procedures and practices appropriate to the nature of the personal identifying information and to protect it from unauthorized access, destruction, use, modification or disclosure. SECTION. [NEW MATERIAL] NOTIFICATION OF SECURITY BREACH.-- A. A person that owns or maintains computerized data elements that include personal identifying information of a New Mexico resident shall provide notification to each New Mexico resident whose unencrypted personal identifying information is reasonably believed to have been subject to a security breach. Notification shall be made within ten days following discovery of the security breach, except as provided in Section of the Data Breach Notification Act. B. A person required to provide notification of a security breach pursuant to the Data Breach Notification Act shall provide that notification by: (1) United States mail;.0. - -

() electronic notification, if the notice provided is consistent with the requirements of U.S.C. Section 001; or () a substitute notification, if the person demonstrates that: (a) the cost of providing notification would exceed one hundred thousand dollars ($0,000); (b) the number of residents to be notified exceeds fifty thousand; or (c) the person does not have on record a physical address for the residents that the person or business is required to notify. C. Substitute notification pursuant to Paragraph () of Subsection B of this section shall consist of: (1) sending electronic notification to the email address of those residents for whom the person has a valid email address; () posting notification of the security breach in a conspicuous location on the web site of the person required to provide notification if the person maintains a web site; and () sending written notification to the office of the attorney general and all major media outlets in New Mexico. SECTION. [NEW MATERIAL] NOTIFICATION--REQUIRED.0. - -

CONTENT.--Notification required pursuant to the Data Breach Notification Act shall contain: A. the name and contact information of the notifying person; B. a list of the types of personal identifying information that are reasonably believed to have been the subject of a security breach, if known; C. the date of the security breach, the estimated date of the breach or the range of dates within which the security breach occurred, if known; D. a general description of the security breach incident; E. a statement that notification was delayed pursuant to Section of the Data Breach Notification Act, if a delay occurred; F. the toll-free telephone numbers and addresses of the major consumer reporting agencies; G. advice that directs the recipient of the notification to review personal account statements and credit reports to detect errors resulting from the security breach; and H. advice that informs the recipient of the notification of the recipient's rights pursuant to the Fair Credit Reporting and Identity Security Act. SECTION. [NEW MATERIAL] DELAYED NOTIFICATION.--The.0. - -

notification required by the Data Breach Notification Act may be delayed if: A. a law enforcement agency determines that the notification will impede a criminal investigation; or B. the notification will impede efforts to determine the scope of the security breach and restore the integrity, security and confidentiality of the data system. SECTION. [NEW MATERIAL] NOTIFICATION TO ATTORNEY GENERAL AND CREDIT REPORTING AGENCIES.--A person that is required to issue notification of a security breach pursuant to the Data Breach Notification Act to more than fifty residents as a result of a single security breach shall notify the office of the attorney general and all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in U.S.C. Section 1a(p), of the timing, distribution and content of the notification. Notification pursuant to this section shall be made within ten business days following discovery of the security breach. SECTION. [NEW MATERIAL] ADDITIONAL NOTIFICATION REQUIREMENTS FOR BREACH OF CREDIT CARD OR DEBIT CARD NUMBERS.-- A person that is required to issue notification of a security breach pursuant to the Data Breach Notification Act as a result of a security breach involving a credit card number or debit card number shall notify each merchant services provider to which the credit card number or debit card number was.0. - -

transmitted. Notification pursuant to this section shall be made within two business days following discovery of the security breach. SECTION. [NEW MATERIAL] ATTORNEY GENERAL ENFORCEMENT-- CIVIL PENALTY.-- A. When the attorney general has a reasonable belief that a violation of the Data Breach Notification Act has occurred, the attorney general may bring an action in the name of the state alleging a violation of that act. B. In any action filed by the attorney general pursuant to the Data Breach Notification Act, the court may: (1) issue an injunction; and () award damages for actual costs or losses incurred by a person entitled to notice, including consequential financial losses. C. If the court determines that a person violated the Data Breach Notification Act knowingly or recklessly, the court may impose a civil penalty of the greater of five thousand dollars ($,000) or ten dollars ($.00) per instance of failed notification up to a maximum of one hundred fifty thousand dollars ($0,000). SECTION. [NEW MATERIAL] CONSUMER RIGHTS--ACTIONS-- TREBLE DAMAGES.-- A. A consumer may bring an action to recover actual damages or the sum of one hundred dollars ($0), whichever is.0. - -

greater. When the trier of fact finds that the party charged with violation of the Data Breach Notification Act has willfully engaged in the violation, the court may award up to three times actual damages or three hundred dollars ($00), whichever is greater, to the party complaining of the violation. B. The court shall award attorney fees and costs to the party complaining of a violation of the Data Breach Notification Act if the party prevails. C. This section shall not be construed to limit rights and remedies available to a consumer under any other law. SECTION. [NEW MATERIAL] BREACH OF ACCESS DEVICE DATA-- CIVIL LIABILITY--REASONABLE ATTORNEY FEES.-- A. A card issuer may file a civil complaint against a merchant services provider whose retention of access device data constitutes a breach of access device data. If the card issuer is the prevailing party, a court may award the reasonable costs that a card issuer incurs for: (1) canceling or reissuing an access device; () stopping payments or blocking financial transactions to protect any account of the cardholder; () closing, reopening or opening any affected financial institution account of a cardholder; () refunding or crediting a cardholder for.0. - -

any financial transaction that the cardholder did not authorize and that occurred as a result of the breach; or () notifying affected cardholders. B. In an action pursuant to this section, the court may award to the prevailing party reasonable attorney fees. - -.0.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information