AG seeks improved data breach reporting law
New Mexico’s two-year-old law requiring that consumers be notified when a data breach occurs was a victory when it passed, but now it’s time for some big changes, says the state Attorney General’s Office and a key lobbyist.
The Data Breach Notification Act says businesses and public entities, within 45 days, must notify New Mexico residents affected when a hacker breaks into their systems. However, there is no requirement to report the breach to the AG’s Office or consumer reporting agencies, unless more than 1,000 people are affected. Generally, the act gives the agency only limited power to investigate breaches or monitor compliance other than through voluntary reporting, according to an AG report released last year.
It points out those issues as among the revisions needed to give the act more teeth and to monitor compliance.
Paul Stull, CEO of the Credit Union Association of New Mexico, is taking up that challenge and is already talking to lawmakers about making some fixes during the 2020 legislative session.
“The report ... is pretty straightforward in saying current law kind of has no teeth,” Stull says. “The AG is not empowered to keep records. Therefore, it is not able to come up with statistics on who or who hasn’t complied.”
The AG report says a broad review of breach notifications in states with such laws “strongly suggests that the overwhelming majority of data breaches affecting New Mexicans likely go unreported to the (attorney general) due to the 1,000-resident reporting threshold.” That threshold “is so high that it effectively renders the (act’s) requirement to notify the (attorney general) and major credit reporting agencies almost meaningless.”
As it stands, the AG has had 32 data breach notifications since July 18, a spokesman said.
Another weakness, according to the report: The act mandates merchants take only “reasonable” security measures to manage personal data, a term that is “too vague and open to interpretation.”
Instead, “reasonable” measures should be tied to a regularly-updated national standard, the report said.
Gather up any sensitive documents you want to get rid of and do so safely at a free shredding event from 10 a.m. to noon Oct. 26.
It will take place at the Adelante Document Destruction site at 1618 1st NW, and is sponsored by Adelante and the Better Business Bureau. You can bring no more than two large garbage bags, and no registration is required. For more information, contact the BBB (505) 346-0110 or by email at info@ bbbsw.org .
Here is a new scam reported by PNM. A customer gets a call saying there’s a system upgrade or construction in the area, and is told to log off all computers and flip off breakers until the work is completed.
The scammer doesn’t immediately ask for money, according to spokeswoman Shannon Jackson, but soon after tells the customer they need to pay up so their power can be turned back on.
“... Customers often panic,” Jackson said “If this situation were true, the customer could simply flip their breakers back over, and power would be restored.”
Contact Ellen Marks at emarks@abqjournal.com or 505-823-3842 if you are aware of what sounds like a scam. To report a scam to law enforcement, contact the New Mexico Consumer Protection Division toll-free at 1-844-255-9210.