The Constangy Cyber Team understands the paramount importance of staying informed about the intricacies of data breach notification regulations. With our Cybersecurity & Data Privacy Desktop Reference and these interactive maps, we provide guidance to navigate these complexities. Our interactive maps offer you online access to our succinct summaries of the essential aspects of various consumer and regulatory notification obligations. Please contact us should you have any questions. We look forward to working with you should you have to navigate the consumer notification and/or regulatory reporting process.
Data Breach Notification Statute
Covered Entities: An individual or entity that owns or licenses computerized data that includes personal information.
Consumer Notification: Notification must be provided to any resident of Guam whose unencrypted and unredacted personal information was or is reasonably believed to have been accessed and acquired by an unauthorized person and that causes, or the individual or entity reasonably believes has caused or will cause, identity theft or other fraud to any resident of Guam.
Regulatory Notification: N/A
Notification Timeline: Notice must be provided without unreasonable delay, consistent with any measures necessary to determine the scope of the breach and restore the reasonable integrity of the system.
Data Format: Electronic.
Citations: 9 G.C.A. § 48.10 et seq.
- Breach: Unauthorized access and acquisition of unencrypted and unredacted computerized data that compromises the security or confidentiality of personal information maintained by an individual or entity as part of a database of personal information regarding multiple individuals and that causes, or the individual or entity reasonably believes has caused or will cause, identity theft or other fraud to any resident of Guam.
- Personal Information (PI): First name, or first initial, and last name in combination with and linked to any one or more of the following data elements that relate to a resident of Guam, when the data elements are neither encrypted nor redacted:
- Social Security number;
- Driver’s license number or Guam identification card number issued in lieu of a driver's license; or
- Financial account number, or credit card or debit card number, in combination with any required security code, access code, or password that would permit access to a resident’s financial accounts.
- Medical Information: N/A
- Health Insurance Information: N/A
- Encryption: Notice to individuals not required unless encrypted information is accessed and acquired in an unencrypted form, or if the security breach involves a person with access to the encryption key and the individual or entity reasonably believes that such breach has caused or will cause identity theft or other fraud to any resident of Guam.
- Good Faith: Good faith acquisition of personal information by an employee or agent of an individual or entity for the purposes of the individual or the entity is not a breach of the security of the system, provided, that the personal information is not used for a purpose other than a lawful purpose of the individual or entity or subject to further unauthorized disclosure.
- Risk of Harm: Notification is not required if the acquisition of personal information does not cause, or the subject entity does not reasonably believe it has or will cause, identity theft or other fraud to a Guam resident.
- Law Enforcement Delay: Notice required by this Section may be delayed if a law enforcement agency determines and advises the individual or entity that the notice will impede a criminal or civil investigation, or homeland or national security. Notice required by this Section must be made without unreasonable delay after the law enforcement agency determines that notification will no longer impede the investigation or jeopardize national or homeland security.
- Timing: Notice must be provided without unreasonable delay consistent with any measures necessary to determine the scope of the breach and restore the reasonable integrity of the system.
- Format: N/A
- Content: N/A
- Method: Notice to affected individuals must be by either: (1) Written notice; (2) Telephone notice; (3): Electronic notice; or (4) Substitute notice (see below).
If the entity demonstrates that (i) the cost of providing notice will exceed $10,000, (ii) the affected class of residents to be notified exceeds 5,000 people, or (iii) sufficient contact information or consent to provide notice are unavailable.
Credit Reporting Agencies Notice:
An individual or entity that does not own or license the personal information must notify the owner or licensee of personal information maintained as soon as practicable following discovery of a breach if the personal information was, or is reasonably believed to have been, accessed and acquired by an unauthorized person.
An entity that complies with the notification requirements or procedures pursuant to the rules, regulations, procedures, or guidelines established by the entity’s primary or functional Federal regulator shall be in compliance with this Chapter.