CONTINUE TO SITE »
or wait 15 seconds

Blog

Data breach legislation: As states step up, will the Fed follow?

April 7, 2014 by Robert Siciliano — speaker, IDTheftSecurity.com

A data breach notification bill, H.B. 224, was recently introduced in the New Mexico legislature. If enacted, it would make New Mexico the 47th state to adopt data breach alert requirements.

H.B. 224 would mandate that organizations notify breached individuals within 10 days of breach discovery; and that they notify the state attorney general within 10 business days if more than 50 state residents are affected.

Following are a few other stipulations of the bill:

Payment card breach

  • Card issuers who experience a breach would be allowed two business days to notify merchants "to which the credit card number or debit card number was transmitted."
  • The bill would set a risk-of-harm threshold to determine when an alert would be required for a breach.
  • If the magnetic strip data or other information is revealed, resulting in harm or risk of harm to the cardholder and compromise of access device data, the notification of cardholders would be required. The card issuer would not need to give approval or direction.
  • Card issuers would be able to sue for recovery of administrative costs if a card reader is breached or if there's a problem with mag-stripe data.

Data security and disposal

  • The bill would require companies to implement and maintain reasonable security measures to ensure protection of personal identifying information from illegitimate access or other fraudulent action.
  • Businesses would also have to include these data security standards in contracts involving "non-affiliated third parties" with whom they share personal information.
  • Personal data, in whatever form, must be disposed in such a way that personal identifying information would be impossible to read or decipher.

Enforcement

  • The bill would authorize the state attorney general to seek injunctive relief and recovery of damages via court.
  • Failure of a company to notify of the breach would result in harsh fines.
  • Customers could sue for damages of $100 to $300, depending on circumstances.

It might be just a matter of time before the federal government steps in and decides that PCI Standards do not adequately address client data protection. Businesses that see the writing on the wall are making smart, proactive investments in their customers' security.

Robert Siciliano is an identity theft expert to AllClearID, and the author of "99 Things You Wish You Knew Before Your Identity Was Stolen."

About Robert Siciliano

None

Connect with Robert:

Related Media

Security
Examining biggest ATM security issues and 4 strategies to prevent them
Security
Banking privacy: 5 benefits for banks, customers
Security
Protecting an ATM's hardware, software by slowing down criminals
On-Demand Webinar
A Masterclass in ATM Security: Global Best Practices and Trends
Presented by Diebold Nixdorf
Recent Posts
Eurasian Bank selects Diebold Nixdorf's self-service software
First National Bank to open 30 branches
Romanian man arrested for alleged cash trapping ATM scheme
Replacing the ATM: Pros and cons of new vs. remanufactured
U.S. Bank resumes crypto custody services


©2025 Networld Media Group, LLC. All rights reserved.
b'S1-NEW'