New Mexico Data Breach Notification Laws: Reporting Rules & Timelines (2026)

If your business handles personal information belonging to New Mexico residents, a data breach triggers specific legal obligations under the New Mexico Data Breach Notification Act. N.M. Stat. 57-12C-1 et seq. sets out who must notify, what triggers the duty, and how quickly action is required. New Mexico was one of the later states to adopt a breach notification law, enacting the statute in 2017. However, the law includes modern provisions such as biometric data coverage and a firm 45-day notification deadline.

This guide covers the full scope of New Mexico's breach notification requirements, including what personal information triggers the law, who must be notified, the timeline, penalties, exemptions, and how the state's broader data privacy framework interacts with breach obligations.

Who Must Comply With New Mexico's Breach Notification Law

New Mexico's law applies to any person, business, or government agency that owns or licenses personal identifying information of New Mexico residents. The statute uses the term "person" broadly to include corporations, partnerships, LLCs, associations, and other entities.

The law also applies to third-party data processors. When a person or business that maintains data on behalf of another entity discovers a breach, it must notify the data owner within 24 hours of discovery. This 24-hour third-party notification requirement is faster than what most states mandate and ensures the data owner can begin the 45-day notification clock promptly.

Out-of-state businesses that handle personal information of New Mexico residents are subject to the law.

What Qualifies as a Breach

Under N.M. Stat. 57-12C-2, a "security breach" means the unauthorized acquisition of unencrypted computerized data, or encrypted computerized data together with the confidential process or key, that compromises the security, confidentiality, or integrity of personal identifying information maintained by a person.

Good Faith Exception

A good faith acquisition of personal identifying information by an employee or agent of the person for a legitimate business purpose does not constitute a security breach, provided the personal identifying information is not used for an unauthorized purpose or subject to further unauthorized disclosure.

Encryption Safe Harbor

New Mexico provides a safe harbor for encrypted data. If the compromised personal identifying information was encrypted and the encryption key or confidential process was not also acquired, notification is not required. If both the encrypted data and the key were compromised, the safe harbor does not apply.

Personal Information That Triggers Notification

New Mexico's definition of personal identifying information is notably broad for a state that enacted its law in 2017. Under N.M. Stat. 57-12C-2, personal identifying information means an individual's first name or first initial and last name combined with one or more of the following:

• Social Security number
• Driver's license number
• Government-issued identification number
• Account number, credit card number, or debit card number combined with any required security code, access code, or password that would permit access to the financial account
• Biometric data (fingerprint, voice print, retina or iris image, or other unique biological characteristics used to authenticate a specific individual)

The inclusion of biometric data places New Mexico among the states with more comprehensive protection, recognizing that biometric identifiers cannot be changed once compromised.

Personal identifying information does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.

The 45-Day Notification Timeline

New Mexico imposes a firm 45-day deadline for breach notification under N.M. Stat. 57-12C-6. Notification must be made no later than 45 calendar days following discovery of the security breach.

The clock starts from the date of discovery, not the date the breach occurred. This distinction matters because breaches are often discovered weeks or months after the initial unauthorized access.

When Delay Is Permitted

Notification may be delayed beyond the 45-day deadline only if:

1. A law enforcement agency determines that notification will impede a criminal investigation and requests a delay. Notification must happen promptly after law enforcement determines disclosure no longer compromises the investigation.
2. The entity needs time to determine the scope of the breach and restore the reasonable integrity of the data system, though this must still fall within the 45-day window unless a law enforcement delay applies.

The law enforcement exception is the only basis for extending the 45-day deadline. Internal investigation alone is not sufficient justification to exceed it.

Who Must Be Notified

Affected Individuals

Every New Mexico resident whose unencrypted personal identifying information was or is reasonably believed to have been acquired by an unauthorized person must be notified. The notification must include:

• The date, estimated date, or estimated date range of the security breach
• A description of the personal identifying information that was part of the breach
• Contact information for the person or business sending the notice
• Contact information for the consumer reporting agencies
• Advice directing the individual to review account statements, monitor credit reports, and consider placing a security freeze on their credit files

New Mexico Attorney General

The New Mexico Attorney General must be notified of any security breach affecting New Mexico residents. The statute requires AG notification when one or more New Mexico residents are affected, making it one of the broadest AG notification triggers.

The notification to the AG must include:

• A description of the security breach
• The approximate number of New Mexico residents affected
• A copy of the notification provided to individuals
• Steps taken to address the breach

Consumer Reporting Agencies

When a breach affects more than 1,000 New Mexico residents, the entity must also notify the nationwide consumer reporting agencies. The notification must include the timing, distribution, and content of the notification to individuals.

How to Provide Notification

New Mexico permits the following notification methods:

• Written notification sent by mail to the last known address of the individual
• Electronic notification if the entity's primary means of communication with the individual is by electronic means, consistent with the E-SIGN Act (15 U.S.C. 7001)
• Telephone notification

Substitute Notice

Substitute notice is available when:

• The cost of providing notification would exceed $50,000
• The affected class exceeds 100,000 New Mexico residents
• The entity does not have sufficient contact information

Substitute notice must include all of the following:

1. Email notification to individuals for whom the entity has an email address
2. Conspicuous posting of the notice on the entity's website
3. Notification to major statewide media outlets

New Mexico's substitute notice thresholds ($50,000 cost and 100,000 affected individuals) are moderate, falling between the low thresholds of states like New Hampshire and the high thresholds of states like California.

Enforcement and Penalties

New Mexico's breach notification law is enforced by the New Mexico Attorney General under the Unfair Practices Act (N.M. Stat. 57-12-1 et seq.). A violation of the Data Breach Notification Act constitutes an unfair practice.

The Attorney General may seek:

• Injunctive relief to stop ongoing violations
• Civil penalties as provided under the Unfair Practices Act
• Restitution for affected consumers

There is no private right of action for breach notification violations. Only the Attorney General can bring enforcement actions under the statute. Individuals may pursue common law claims such as negligence, but not under the breach notification law itself.

Exemptions

New Mexico provides significant exemptions for entities that comply with equivalent federal breach notification frameworks:

GLBA-Regulated Financial Institutions

Financial institutions that maintain notification procedures as part of an information security program established under the Gramm-Leach-Bliley Act are exempt from New Mexico's breach notification requirements, provided those procedures are at least as thorough as the state statute.

HIPAA-Covered Entities

Healthcare entities and their business associates that comply with HIPAA's breach notification requirements (as outlined in the HITECH Act) are deemed in compliance with New Mexico's law.

These exemptions are broader than some states provide and fully exclude qualifying entities from the state statute rather than requiring parallel compliance.

Data Security Obligations

Beyond breach notification, New Mexico requires that any person who owns or licenses personal identifying information of New Mexico residents must implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect it from unauthorized access, destruction, use, modification, or disclosure. This general data security mandate applies regardless of whether a breach occurs.

Businesses that collect personal identifying information must also take reasonable steps to destroy or arrange for the destruction of records containing personal identifying information that are no longer needed, by shredding, erasing, or otherwise modifying the information to make it unreadable or indecipherable.

More New Mexico Laws

• New Mexico Data Privacy Laws
• New Mexico Hit and Run Laws
• New Mexico Recording Laws
• New Mexico Recording Laws
• New Mexico Recording Laws
• New Mexico Recording Laws
• New Mexico Recording Laws
• New Mexico Recording Laws

Sources and References

This article draws from the following official New Mexico government sources:

• N.M. Stat. 57-12C-1 et seq. (Data Breach Notification Act) - Full text of New Mexico's data breach notification statute
• New Mexico Attorney General - AG consumer protection and enforcement
• N.M. Stat. 57-12-1 et seq. (Unfair Practices Act) - Enforcement framework

This article provides general legal information about [New Mexico data privacy laws](/us-laws/data-privacy-laws/new-mexico-data-privacy-laws) and breach notification requirements. It is not legal advice, and it does not create an attorney-client relationship. Data breach response involves time-sensitive obligations. Consult a qualified attorney licensed in New Mexico for guidance specific to your situation.