The New Mexico Nondisclosure Act: Implications for Insurers and Contractors

In a significant legislative development, New Mexico has enacted the 'Nondisclosure of Sensitive Personal Information Act' through Senate Bill 36 (SB 36), dramatically altering how state agencies manage personal information. Set to take effect on July 1, 2025, this act introduces stringent penalties for the unauthorized disclosure of personal data by state employees, which is expected to significantly impact insurers, contractors, and government service providers. The act stipulates both civil penalties and criminal sanctions for breaches relating to this sensitive information, compelling a broad spectrum of entities to re-evaluate their compliance and data management strategies diligently.

The scope of 'sensitive personal information' under SB 36 is notably broad. It encompasses data concerning an individual’s status regarding public assistance or as a crime victim, sexual orientation, gender identity, disabilities, medical condition, immigration status, national origin, religious affiliation, and social security numbers, including tax IDs. State employees are prohibited from disclosing such information unless an exception applies. Permissible disclosures include those essential for performing state agency functions, mandated by a court order or the Inspection of Public Records Act, required by federal statutes, involved in legal or administrative proceedings, made to a state contractor under stringent same-disclosure obligations, allowed under the Whistleblower Protection Act, authorized by HIPAA, or made with informed consent from the individual concerned.

Enforcement of SB 36 is entrusted to the New Mexico attorney general, district attorneys, and the state ethics commission, who are empowered to pursue civil lawsuits to address or preempt violations. Each infraction invites a civil fine of $250, capped at $5,000 per incident, thus providing a clear deterrent against unauthorized data handling. In parallel, SB 36 modifies the New Mexico Motor Vehicle Code under Section 66-2-7.1 to reinforce confidentiality in motor vehicle records. Employees and contractors of the Motor Vehicle Division (MVD) face legal constraints on disclosing private data obtained from driver's licenses, vehicle titling, and related programs, apart from specific scenarios such as confirmed individual consent, government agency use, research adhering to anonymity, and insurer-associated claims or fraud-related exercises.

For insurers and businesses interfacing with state agencies, SB 36 necessitates a thorough re-assessment of data-sharing protocols. Although the act delineates exceptions for insurers in processes like underwriting and fraud detection, these allowances are contingent on stringent certification requirements concerning the non-disclosure of information for immigration enforcement, barring felony cases. Non-compliance risks severe repercussions, including the revocation of data access rights and potential legal penalties. Agencies must ensure that contractors comply with new standards mirroring those expected of state employees, thereby fostering a secure data management ecosystem. As agencies and contractors prepare for the July 1, 2025 deadline, SB 36 highlights a progressive shift in data privacy legislation, challenging businesses to navigate an increasingly complex regulatory landscape while safeguarding individual privacy interests.