Guam Notification of Breaches of Personal Information
9 G.C.A. § 48.10, et seq.
SUMMARY:
EFFECTIVE. August 10, 2009
WHO DOES THIS LAW APPLY TO. Applies to individuals, businesses, governmental entities, and other entities that own, license, or maintain personal information. Certain entities may be exempted from particular or all provisions of the law.
WHAT IS A BREACH. Unauthorized access and acquisition of unencrypted and unredacted computerized data that compromises the security or confidentiality of personal information maintained by an entity as part of a database of personal information regarding multiple individuals, excluding certain good faith acquisitions.
WHAT IS PERSONAL INFORMATION. First name, or first initial, and last name in combination with and linked to any one or more of the following data elements that are neither encrypted nor redacted:
-
Social Security Number.
-
Driver’s license number or Guam identification card number issued in lieu of a driver’s license.
-
Financial account number, credit card, or debit card number, in combination with any required security code, access code, or password that would permit access to a resident’s financial accounts.
Does not include information that is lawfully obtained from publicly available information, or from Federal, State, or local government records lawfully made available to the general public.
WHO TO NOTIFY OF THE BREACH. Must disclose any breach of the security of the system following discovery or notification of the breach of the security of the system to any resident of Guam whose unencrypted and unredacted personal information was or is reasonably believed to have been accessed and acquired by an unauthorized person and the disclosure shall be made without unreasonable delay.
EXCEPTION.
-
Statute does not apply to encrypted or redacted personal information. The safe harbor does not apply when the encryption key was also compromised due to breach or there is a reasonable belief that a resident will suffer identity theft or fraud.
-
Notification is not required if the acquisition of personal information does not cause, or the subject entity does not reasonably believe it has or will cause, identity theft or other fraud to a Guam resident.
-
An entity that maintains its own notification procedures as part of an information privacy or security policy for the treatment of personal information and that are consistent with the timing requirements of this Chapter shall be deemed to be in compliance with the notification requirements of this Chapter if it notifies residents of Guam in accordance with its procedures in the event of a breach of security of the system.
-
Compliance with Federal requirements.
-
A financial institution that complies with the notification requirements prescribed by the Federal Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice is deemed to be in compliance.
-
An entity that complies with the notification requirements or procedures pursuant to the rules, regulations, procedures, or guidelines established by the entity’s primary or functional Federal regulator shall be in compliance with this Chapter.
WHEN TO NOTIFY OF THE BREACH. Notice must be without unreasonable delay consistent with any measures necessary to determine the scope of the breach and restore the reasonable integrity of the system. Notification may be delayed if a law enforcement agency determines and advises that the notice will impede a criminal or civil investigation, or homeland or national security.
HOW TO NOTIFY OF THE BREACH. Notice may be provided by one of the following methods:
-
Written notice to the postal address in the subject entity’s records.
-
Telephone notice.
-
Electronic notice.
-
Substitute notice as provided below.
SUBSTITUTE NOTICE AVAILABLE. If cost of providing notice will exceed $10,000 or affected class of residents to be notified exceeds 5,000 people, or if sufficient contact information or consent to provide notice are unavailable, substitute notice may be given. Substitute consists of any two of the following:
-
Email notice if the individual or the entity has email addresses for the affected class of residents.
-
Conspicuous posting of the notice on the entity’s website, if it maintains one.
-
Notice to major Guam media.
NOTICE TO THIRD-PARTIES. Must notify the owner or licensee of personal information maintained by the subject entity as soon as practicable following discovery of a breach if the personal information was or is reasonably believed to be accessed and acquired by an unauthorized person.
CONSEQUENCES FOR FAILING TO NOTIFY. A violation resulting in injury or loss may be enforced by the Attorney General who has exclusive authority to bring an action for actual damages or for a civil penalty not to exceed $150,000 per breach of the security of the system or per series of similar breaches discovered in a single investigation.
PRIVATE RIGHT OF ACTION. None.
REQUIREMENTS OF REASONABLE SECURITY MEASURES.
DATA DISPOSAL PROVISIONS. None.
LEGISLATIVE UPDATES.
P.L. 30-004:1 – signed into law 3/13/2009, Effective 8/10/2009.
For more information, see here: http://www.guamcourts.org/CompilerofLaws/GCA/09gca/9gc048.pdf
AND
http://www.guamcourts.org/
These materials were obtained directly from the State Legislative websites and are posted here for your review and reference only. No Claim to Original State Government Works. This may not be the most recent version. The State may have more current information. We make no guarantees or warranties about the accuracy or completeness of this information, or the information linked to. Please check the linked sources directly.