28 November 2015

Identity Theft Expert

Robert Siciliano - IDTheftSecurity.com

662Posts 1,618,024Views 62Comments

Data Breach Notification Bill goes to the House

25 March 2014  |  2097 views  |  0

H.B. 224, a newly introduced data breach notification bill for New Mexico, would mandate that organizations notify breached individuals within 10 days of breach discovery (unencrypted credit card data); and within 10 business days notifying the state attorney general if more than 50 NM residents are affected.


The bill allows for a shorter notification deadline and for card carriers to sue for recovery costs linked to the breach; and customers can sue for statutory damages.

Companies operating in NM will also have additional data security and data disposal requirements, due to the bill. Enacting H.B. 224 would make New Mexico join 46 states who have data breach alert laws.

Payment Card Breach

  • Within two business days: Time allowed for card issuers facing a breach to notify all the merchants “to which the credit card number or debit card number was transmitted,” according to H.B. 224.
  • H.B. 224 would also set a risk of harm threshold regarding when an alert is required for card breaches.
  • If the magnetic strip data or other information is revealed, yielding harm or risk of harm to the cardholder and compromise of access device data, the bill would require notification. The card issuer would not need to give approval or direction.
  • Card issuers can sue for recovery of administrative costs if a card reader is breached or if there’s a problem with strip data.

Data Security and Disposal

  • The bill would make companies “implement and maintain reasonable” security measures to ensure protection of personal identifying information from illegitimate access or other fraudulent action.
  • Businesses would also have to include these data security standards in contracts involving “non-affiliated third parties” that they share personal information with.
  • Personal data, however which way it’s contained, be disposed of such that personal identifying information would be impossible to read or decipher.


  • The bill would authorize the state attorney general to seek injunctive relief and recovery of damages via court.
  • Failure of a company to notify of the breach could result in harsh fines, if the bill is enacted.
  • Customers could sue for damages of $100 to $300, depending on circumstances.

Being accountable:

It may be just a matter of time before the Federal government steps in and decides PCI Standards might not fix client data protection problems. Businesses who see the writing on the wall are being proactive and making smarter investments in their customers security.



Comments: (0)

Comment on this story (membership required)
Log in to receive notifications when someone posts a comment

Latest posts from Robert

Nineways to shop safely on Cyber Monday

24 November 2015  |  583 views  |  0  |  Recommends 0 TagsSecurity

What are Bug Bounties?

20 November 2015  |  1353 views  |  0  |  Recommends 0 TagsSecurity

Medical Identity Theft can be deadly

18 November 2015  |  235 views  |  0  |  Recommends 0 TagsSecurity

The World's First Biometric Password Lockdown App is here

17 November 2015  |  416 views  |  0  |  Recommends 0 TagsSecurity

Best practices for BYOD data storage

16 November 2015  |  1158 views  |  0  |  Recommends 0 TagsSecurity

Robert's profile

job title Security Analyst
location Boston
member since 2010
Summary profile See full profile »
Security analyst, published author, television news correspondent. Deliver presentations throughout the United States, Canada and internationally on identity theft protection and personal security....

Robert's expertise

Who's commenting on Robert's posts

Ketharaman Swaminathan
Michael W
Dirk Kinvig
Ulrich Rosenbaum
Revinia Curry
Balasubramaniam GD
Matt Scott
Bjorn Soland
Prasenjit Das
John Serocold
Charmaine Oak
Iain Montgomery