New Mexico Data Breach Notification Templates

Prepared for immediate attorney customization and client delivery

CONTENTS

1. Overview & Statutory Framework
2. Template A – Notice to the New Mexico Attorney General
3. Template B – Notice to Affected New Mexico Residents
4. Exhibits (optional forms & schedules)

1. OVERVIEW & STATUTORY FRAMEWORK

These templates are drafted to comply with the New Mexico Data Breach Notification Act, N.M. Stat. Ann. § 57-12C-1 et seq. (the “Act”). Key statutory points integrated herein include:

• Timing – Written notice must be provided no later than 45 calendar days after discovery of a “Security Breach.”
• AG Notice Trigger – Notice to the NM Attorney General (“NM AG”) is required if the breach involves personal identifying information (“PII”) of 1,000 or more New Mexico residents.
• Consumer Notice Content – The Act prescribes mandatory content items and prohibits inclusion of information that could further harm affected individuals.
• Manner of Delivery – Written notice may be by U.S. mail, electronic notice (where legally permissible), or substitute notice in limited circumstances.

[// GUIDANCE: Verify whether any federal sector-specific rules (e.g., HIPAA, GLBA) also apply. If so, coordinate parallel notice obligations and avoid inconsistent statements.]

2. TEMPLATE A

Notice to the New Mexico Attorney General

[LETTERHEAD OF COMPANY]
[Street Address] • [City, State ZIP] • [Phone] • [Website]

[Date]

Office of the Attorney General
Consumer Protection Division
P.O. Box 1508
Santa Fe, New Mexico 87504-1508

Re: Notice of Data Breach Under N.M. Stat. Ann. § 57-12C-1 et seq.

Attorney General [NAME]:

Pursuant to the New Mexico Data Breach Notification Act (the “Act”), [COMPANY LEGAL NAME] (“[Short Name]”) hereby provides written notice of a Security Breach involving the personal identifying information of New Mexico residents.

1. Identifying Information of Reporting Entity
   a. Legal Name: [COMPANY LEGAL NAME]
   b. State of Incorporation/Formation: [STATE]
   c. Principal Business Address: [ADDRESS]
   d. Point of Contact for AG Follow-Up: [NAME, TITLE, PHONE, EMAIL]

2. Nature of the Security Breach
   a. Incident Description: [Concise narrative—e.g., “On [Discovery Date], [Short Name] identified unauthorized access to an employee email account containing customer data.”]
   b. Date(s) of Breach: [START DATE] – [END DATE] (or “single-day incident on [DATE]”)
   c. Method of Discovery: [Brief description]
   d. Remediation Status: [Summary of containment, eradication, and ongoing monitoring steps]

3. Categories of Personal Identifying Information Involved
   • [Driver’s license or state identification number]
   • [Social Security number]
   • [Financial account or payment card information]
   • [Any other PII as defined in § 57-12C-2(D)]
   [// GUIDANCE: List only categories—not specific data elements—to avoid further risk.]

4. Scope of Impact
   a. Total number of New Mexico residents affected: [ESTIMATED COUNT]
   b. Total number of individuals nationwide affected (all jurisdictions): [COUNT]

5. Consumer Notification
   a. Date Consumer Notice Will Be/Was Mailed: [DATE – must be ≤ 45 days from discovery]
   b. Method(s) of Notice: [1st-class mail / electronic notice / substitute notice under § 57-12C-4(E)]
   c. Complimentary Services Offered: [Credit monitoring, ID theft restoration, etc.; include duration]

6. Law-Enforcement Involvement
   [If applicable] On [DATE], [Short Name] notified [NAME OF AGENCY] regarding the incident and is cooperating with the ongoing investigation. No request for delayed consumer notice was received.

7. Attachments
   • Sample Consumer Notification Letter
   • Timeline of Key Events (Exhibit A)
   • Voluntary Mitigation Measures (Exhibit B)

Please contact the undersigned with any questions or to request additional information.

Respectfully submitted,

[AUTHORIZED SIGNATORY]
[NAME] | [TITLE]
[COMPANY LEGAL NAME]
[PHONE] | [EMAIL]

3. TEMPLATE B

Notice to Affected New Mexico Residents

[CONSUMER NAME]
[Street Address]
[City, State ZIP]

Date: [DATE]

Subject: Important Notice of Data Breach

Dear [CONSUMER NAME],

[COMPANY LEGAL NAME] (“[Short Name]”) values the privacy and security of your information. We are writing to notify you of a data security incident that may have involved some of your personal information. This letter explains what happened, the steps we have taken, and steps you may take to protect yourself.

1. What Happened
   On [Discovery Date], we learned that [brief explanation—e.g., “an unauthorized third party gained access to one employee email account”]. Upon discovery, we immediately secured the account, initiated an investigation, and engaged leading cybersecurity experts to assist.

2. What Information Was Involved
   The information involved may have included your:
   • [List categories of PII, e.g., “name and Social Security number”]
   Importantly, the investigation has found no evidence to date of fraud or identity theft arising from this incident.

3. What We Are Doing
   • We contained the incident and reviewed our security controls.
   • We notified and are cooperating with law enforcement and the New Mexico Attorney General.
   • We are offering you [##] months of complimentary [credit monitoring/identity theft protection] through [SERVICE PROVIDER]. Instructions for activation are enclosed in Exhibit A.
   • We have implemented additional technical safeguards and employee training.

4. What You Can Do
   We recommend that you:
   a. Remain vigilant by reviewing account statements and monitoring free credit reports.
   b. Consider placing a fraud alert or security freeze on your credit files.
   c. Review the enclosed “Information About Identity Theft Protection” (Exhibit B) for contact information for the three nationwide consumer reporting agencies (“CRAs”), the Federal Trade Commission (“FTC”), and tips on avoiding identity theft.

5. More Information
   If you have questions, please contact our dedicated response line at [PHONE] (Monday–Friday, 8 a.m.–5 p.m. MT) or email [EMAIL]. You may also write to us at the address above.

We regret any inconvenience this may cause and appreciate your understanding. Protecting your information is important to us, and we remain committed to strengthening our security.

Sincerely,

[AUTHORIZED SIGNATORY]
[NAME] | [TITLE]
[COMPANY LEGAL NAME]

Exhibit A – Credit Monitoring Activation Instructions

[Include provider name, enrollment code, deadline to enroll, and step-by-step instructions.]

Exhibit B – Information About Identity Theft Protection

1. Fraud Alerts: Contact any one of the three CRAs to place a 1-year fraud alert.
   • Equifax – 1-800-525-6285 | www.equifax.com
   • Experian – 1-888-397-3742 | www.experian.com
   • TransUnion – 1-800-680-7289 | www.transunion.com

2. Security Freezes: You have the right to place a security freeze free of charge.

3. Free Annual Credit Reports: www.annualcreditreport.com | 1-877-322-8228
4. Federal Trade Commission: www.identitytheft.gov | 1-877-438-4338

[// GUIDANCE: Verify phone numbers and URLs immediately prior to issuance.]

4. EXHIBITS (Optional)

Exhibit A – Incident Timeline & Response Log
Exhibit B – Technical Remediation Summary
Exhibit C – Copy of Substitute Notice (if applicable)

[// GUIDANCE: Maintain exhibits internally; provide to NM AG upon request.]

FINAL COMPLIANCE CHECKLIST

1. Notification sent within 45 days of discovery.
2. AG notice included because affected NM residents ≥ 1,000.
3. Consumer letter contains all statutorily required elements:
   • Date of notice
   • Entity contact info
   • Description of breach and PII categories
   • Approximate breach date and discovery date
   • Toll-free numbers for CRAs & FTC
   • Advice to remain vigilant
4. No prohibited content (e.g., specific number of affected individuals included in consumer notice).
5. Delivery method consistent with § 57-12C-4.
6. Internal breach log retained for at least three years.

[// GUIDANCE: Complete checklist prior to mailing. Retain proof of mailing/e-delivery for litigation defense.]