• A recently amended California state law now requires data breach notifications to be sent to
residents when encrypted personal data has been breached
• California data breach notification law: requires notice that a breach occurred related to:
• Breach notification law
• The definition of “personal identifying information” includes biometric data, defined as an
individual’s “fingerprints, voice print, iris or retina patterns, facial characteristics or hand
geometry that is used to uniquely and durably authenticate an individual’s identity when the
individual accesses a physical location, device, system or account.”
• The law applies to unencrypted computerized data or encrypted computerized data when the
encryption key or code is also compromised.
• Notice to the New Mexico Office of the Attorney General and the major consumer reporting
agencies is required if more than 1,000 New Mexico residents are notified.
• Notice must be made to New Mexico residents (and the Attorney General and Consumer
Reporting agencies if over 1,000 residents are notified) within 45 calendar days of discovery of a
security breach.
• Third-party service providers are also required to notify the data owner or licensor within 45
days of discovery of a data breach.
• Notice must be made to New Mexico residents (and the Attorney General and Consumer
Reporting agencies if over 1,000 residents are notified) within 45 calendar days of discovery of a
security breach.
• Third-party service providers are also required to notify the data owner or licensor within 45
days of discovery of a data breach.
• Requires notice of breach regardless of whether information was encrypted or not
• 2017 amendment: the change clarified that encrypted data receives the protection of the safe
harbor, unless the encryption key is also acquired in the breach
