Copyright © 2015 Albuquerque Journal
A bill that would have required retailers to notify customers when they were at significant risk of identity theft or fraud due to computer data breaches died in the final days of the Legislature’s annual session.
The House unanimously approved the legislation in February, and the Senate Corporations and Transportation Committee unanimously OK’d it March 7. But the measure couldn’t get past the Senate Judiciary Committee at a hearing March 16.
No one testified against the bill, but it was opposed by most members of the panel’s Democratic majority.
New Mexico is one of only three states without a law requiring that consumers be notified in case of computer data breaches, according to the National Conference of State Legislatures.
The goal of such laws is to alert people when they have had their credit card numbers, bank account passwords, Social Security numbers or other personal information stolen as a result of unauthorized access to computer data.
Voting largely along party lines, the Senate Judiciary Committee twice voted not to send the proposed New Mexico law to the Senate floor.
“The comments appeared to be it was too industry-friendly for the attorneys on the committee,” Rep. William “Bill” Rehm, R-Albuquerque, sponsor of the bill, said in an interview last week.
At the hearing, Sen. Joseph Cervantes, a trial lawyer, said he was concerned about the strength of the notification requirements for companies in the legislation, as well as a cap of $150,000 on the amount of damages the state attorney general could collect from a company for notification violations.
Cervantes, D-Las Cruces, also noted that the measure didn’t explicitly permit individuals to seek damages caused by identity theft or fraud due to notification violations.
Senate Majority Leader Michael Sanchez, a lawyer and member of the Judiciary Committee, said in an interview last week that New Mexico law caps damages only in cases of medical malpractice and when the state is sued.
Sanchez, D-Belen, said he advised Rehm he needed to remove the damage cap from the bill to win committee approval. Rehm said he was willing to do that, but committee staff advised him there also were needed changes dealing with notification provisions and that the committee wouldn’t take the bill up again before the end of the session.
The legislation’s demise drew the ire of one business group.
“The failure of the Senate to approve (the legislation) gives criminals another full year of free rein on those who reside in New Mexico,” Paul Stull, president and CEO of the Credit Union Association of New Mexico, said in a letter to the Journal.
Target and Home Depot were among those hit by a record 783 data breaches in 2014 across the country, according to the Identity Theft Resource Center. Eight of the breaches were reported in New Mexico.
Rehm said he plans to work with others on the legislation over the summer but said business won’t support an explicit right of individuals to seek damages for notification violations. He said he understands individuals can seek damages under current law for negligent disclosure of credit card numbers and other personal and financial information.
It was Rehm’s second attempt to win approval of a data breach notification law.
There is no national notification law, but there are federal laws dealing with security of personal medical and banking data.
As for the state laws dealing with data breaches, there are differences in notification requirements, penalties for notification violations and the rights of individuals to seek damages. For example, most states don’t permit individuals to seek damages, but at least 14 do, according to information made available by the Mintz Levin law firm of Boston.
Under Rehm’s bill, expedient notification would have been required if there was unauthorized access of personal data, the data was unencrypted and the holder of the data, such as a retailer, determined there was a significant risk of identity theft or fraud.
The legislation placed a $150,000 limit on the civil penalty that a judge could impose on a company for knowingly or recklessly violating the notification law.