New Mexico clamps down on personal data sharing - insurers take note

A newly signed bill in New Mexico has introduced sweeping restrictions on the disclosure of sensitive personal information by state agency employees, in a move that is likely to have compliance implications for insurers, contractors, and government service providers. The “Nondisclosure of Sensitive Personal Information Act,” passed under Senate Bill 36 (SB 36), will take effect on July 1, 2025, and adds both civil penalties and criminal sanctions for improper handling of personal data.

Under SB 36, “sensitive personal information” is defined as an individual’s:

• status as a recipient of public assistance or as a crime victim;
• sexual orientation, gender identity, physical or mental disability, medical condition, immigration status, national origin or religion; and
• social security number, including tax identification number.

The law prohibits state employees from intentionally disclosing such information acquired by virtue of their employment to anyone outside the agency, unless a specific exception applies. These exceptions include disclosures that are:

• necessary to carry out a function of the state agency;
• required by a court order or subpoena from a state or federal court;
• mandated by the Inspection of Public Records Act;
• required by federal statute;
• made to or by a court or administrative tribunal as part of a proceeding or record;
• made to a state contractor that requires the information to fulfill contractual duties and has agreed in writing to the same disclosure restrictions;
• made under the Whistleblower Protection Act;
• expressly permitted by the Health Insurance Portability and Accountability Act (HIPAA); or
• made with the written consent of the individual whose information is being disclosed.

The bill authorizes the New Mexico attorney general, district attorneys, and the state ethics commission to initiate civil actions in district court to enforce or prevent violations of the act. Each violation carries a civil penalty of $250, with a maximum total penalty of $5,000 per violation.

This provision introduces a formal enforcement mechanism for violations involving sensitive personal information held by state employees, extending liability not only to the state but potentially to contractors and others handling this data.

In addition to creating the standalone privacy protections, SB 36 amends Section 66-2-7.1 of the New Mexico Motor Vehicle Code to clarify and reinforce confidentiality requirements related to motor vehicle records.

It is now unlawful for any employee or contractor—current or former—of the Motor Vehicle Division (MVD) to disclose personal information obtained through driver's licenses, vehicle titling, registration, ignition interlock programs, or state-issued IDs, except in defined circumstances. These include:

• disclosures to the individual or their authorized representative;
• use by government agencies performing official duties;
• use in motor vehicle safety, theft, emissions, recalls, performance monitoring, or market research;
• use in research or statistics as long as the data is not used to contact individuals or published in identifiable form;
• use by insurers or self-insured entities for claims, antifraud, rating, or underwriting;
• notification to owners of towed or impounded vehicles;
• verification by employers or their insurers of commercial driver’s license holders;
• disclosures based on written consent from the individual;
• use by insured financial institutions for verifying submitted personal data or pursuing fraud remedies;
• organ donor registration and communication;
• and identification of owners and lienholders of abandoned vehicles to facilitate statutory notifications.

Additionally, Section 66-2-7.1 now explicitly prohibits disclosing personal information to any federal, state, or local agency or nongovernmental entity for the purpose of enforcing the federal Immigration and Nationality Act—except for felony criminal provisions of that act.

If a nongovernmental entity is found to have violated this provision, the director of the MVD may revoke its access to personal information. Any individual who violates this section may be charged with a misdemeanor and sentenced in accordance with Section 31-19-1 NMSA 1978.

For insurers, third-party administrators, and contractors working with state agencies, SB 36 necessitates careful review of current data-sharing practices. Although the law provides specific carve-outs allowing insurers access to personal information for underwriting, claims, and fraud prevention purposes, these must be balanced against enhanced requirements for written consent and contractor certification.

Entities receiving data under MVD authority must certify in writing that they will not use or disclose personal information for immigration enforcement, other than felony provisions. This requirement applies both at the time of data access and at contract renewal.

Contractors may face loss of access and legal liability if they violate these conditions. Agencies are expected to ensure that contractors adhere to the same restrictions as state employees.

The provisions of SB 36 will take effect on July 1, 2025, giving agencies and contractors time to update internal policies, training, and data handling agreements. Given the increasing national focus on data privacy and state-level action, the New Mexico law adds to a growing patchwork of privacy rules that insurers and government vendors must navigate.