Puerto Rico Data Breach Notification
P.R. Laws tit. 10, § 4051, et seq.
SUMMARY:
EFFECTIVE. January 5, 2006
WHO DOES THIS LAW APPLY TO. Applies to individuals, businesses, governmental entities, and other entities that own, license, or maintain personal information. Certain entities may be exempted from particular or all provisions of the law.
WHAT IS A BREACH. Unauthorized access that compromises the security, confidentiality, or integrity of personal information; or when normally authorized persons or entities access such information in violation of professional confidentiality standards or obtain authorization under false representation with intent to illegally use the information, excluding certain good faith acquisitions.
WHAT IS PERSONAL INFORMATION. Name or first initial and last name, in combination with one or more of the following unencrypted data sets:
-
Social Security number.
-
Driver’s license, voter identification, or other official identification.
-
Bank or financial account numbers of any type with or without assigned passwords or access codes.
-
Usernames and passwords or access codes to public or private information systems.
-
Medical information protected by HIPAA.
-
Tax information.
-
Work-related evaluations.
The mailing or the residential address are not included in the protected information or information that is a public document and that is available to citizens in general.
WHO TO NOTIFY OF THE BREACH. Any person or entity must notify citizens of any breach of the security system when the breached database contains, in whole or in part, personal information files that are not protected by encrypted code but only by a password. Notice must also be sent to the Department of Consumer Affairs, within a non-extendable term of ten (10) days after the violation of the system's security has been detected. The Department of Consumer Affairs will then release a public announcement of the fact within twenty-four (24) hours after having received the information. If there is a breach or irregularity in the security system of a government agency or public corporation, the Citizen’s Advocate Office must be notified.
EXCEPTION.
-
Does not apply to encrypted information.
-
Conflict with preexisting institutional security policies. No provision of this chapter shall be interpreted as being prejudicial to those institutional information and security policies that an enterprise or entity may have in force prior to its effectiveness and whose purpose is to provide protection equal or better to the information on security herein established.
WHEN TO NOTIFY OF THE BREACH. The notice must be sent as expeditiously as possible, taking into consideration the need of law enforcement agencies to secure possible crime scenes and evidence as well as the application of measures needed to restore the system's security.
HOW TO NOTIFY OF THE BREACH. Notice may be provided in a clear and conspicuous manner and should describe the breach in general terms and the type of sensitive information accessed by one of the following methods:
-
Written notice.
-
Authenticated electronic means according to the Digital Signatures Act.
The notification shall also include a toll-free number and an Internet site for residents to use in order for the citizens to obtain information or assistance.
SUBSTITUTE NOTICE AVAILABLE. Substitute notice may be provided if the cost of providing notice or of identifying the consumers to notify is excessively onerous due to the number of persons affected, to the difficulty in locating all persons or to the economic situation of the enterprise or entity; or the cost would exceed $100,000 or that the affected class to be notified exceeds 100,000. Substitute notice must consist of all of the following:
-
Prominent display of an announcement at the entity’s premises, on the entity’s web page, if any, and in any informative flier published and sent through mailing lists both postal and electronic, and
-
A communication to the media of the security breach that includes a description of to how to contact the entity to obtain additional information. When the information is relevant to a specific commercial or professional sector, the announcement may be provided through publications or programming that are widely circulated throughout the applicable sector.
NOTICE TO THIRD-PARTIES. Any entity that resells or provides access to digital data banks containing personal information files of citizens must notify the proprietor, custodian, or holder of such information of any violation of any security system violation that allowed unauthorized access.
CONSEQUENCES FOR FAILING TO NOTIFY. Violations may result in civil penalties of $500, up to a maximum of $5,000. Fines do not affect the rights of the consumers to initiate actions or claims for damages before a competent court.
PRIVATE RIGHT OF ACTION. None provided in the statute. The fines provided in this section do not affect the rights of the consumers to initiate actions or claims for damages before a competent court.
REQUIREMENTS OF REASONABLE SECURITY MEASURES.
DATA DISPOSAL PROVISIONS. 2014 Law #234-2014.
LEGISLATIVE UPDATES.
H.B. 1184 – signed into law on 9/7/2005, Effective 1/5/2006.
For more information, see here: https://www.estado.pr.gov/en/laws-of-puerto-rico/
These materials were obtained directly from the State Legislative websites and are posted here for your review and reference only. No Claim to Original State Government Works. This may not be the most recent version. The State may have more current information. We make no guarantees or warranties about the accuracy or completeness of this information, or the information linked to. Please check the linked sources directly.