Puerto Rico

State Data Breach Notification Statute

Highlights

Covered Entities: An agency, board, body, examining board, corporation, public corporation, committee, independent office, division, administration, bureau, department, authority, official, instrumentality or administrative organism of the three branches of the government; and every corporation, partnership, association, private company, or organization authorized to do business or operate in Puerto Rico, and any public or private educational institution.

Consumer Notification: Notification must be provided to any Puerto Rico resident whose unencrypted personal information is accessed without authorization.

Regulatory Notification: Notification must be provided to the Department of Consumer Affairs within 10 days of the discovery of a “breach.” Government agencies and public corporations may have additional reporting obligations.

Notification Timeline: Notification must be provided as expeditiously as possible, subject to the need of law enforcement agencies to secure possible crime scenes and evidence and measures necessary to restore the integrity of the system.

Data Format: Electronic and physical.

Citations: 10 L.P.R.A. §§ 4051–4055

More Details

Definitions:

  • Breach: Unauthorized access to computerized data that compromises the security, confidentiality, or integrity of personal information, or when normally authorized individuals or entities have accessed personal information and the covered entity knows or reasonably suspects the normally authorized accessor has violated professional confidentiality or obtained authorization for access under false representations with the intention of illegally using the information.
  • Personal Information:
    • An individual’s first name / first initial and last name in combination with one or more of the following data elements:
      • Social Security number;
      • Driver’s license number, voter’s identification or other official identification;
      • Bank or financial account numbers of any kind, with or without any access codes; 
      • Usernames plus a password or access code that would permit access to information systems;
      • Medical information;
      • Tax information;
      • Work-related evaluations.
  • Medical Information: Medical information protected by the Health Insurance Portability and Accountability Act.
  • Health Insurance Information: N/A

Safe Harbors:

  • Encryption: Notification is not required where the potentially impacted PI is encrypted.
  • Good Faith: N/A
  • Risk of Harm: N/A
  • Law Enforcement Delay: Notification may be delayed if a law enforcement agency determines that the investigation will impede a criminal investigation.

Direct Notice:

  • Timing: Notification must be provided as expeditiously as possible, subject to measures necessary to restore the integrity of the system.
  • Format: Notification must be provided in a clear and conspicuous manner.
  • Content: Notification must include:
    • A general description of the “breach”;
    • The type(s) of PI impacted;
    • A toll-free number and website for affected individuals to obtain information or assistance
  • Method: Notification must be provided (1) by written notice or electronic methods in compliance with the Digital Signatures Act; or (2) by substitute notice.

Substitute Notice:

An entity may provide substitute notice if: (1) the cost of direct notice or the identification of affective individuals is excessively onerous due to population size, difficulty in locating all individuals, or economic situation of the entity; (2) the cost exceeds $100,000; or (3) the notification population exceeds 100,000. It must include: (1) prominent display at the entity’s premises, on the entity’s webpage, and in any mailing list; and (2) notice to the media including information about the “breach” and contact information.

Remediation Services:

N/A 

Regulatory Notice:

Notification must be provided to the Department of Consumer Affairs within 10 days of the discovery of a “breach.” Government agencies and public corporations may have additional reporting obligations.

Credit Reporting Agencies Notice:

N/A

Third-Party Notice:

Any entity that resells or provides access to databases containing PI must notify the owner, custodian, or holder of PI of a “breach.” 

HIPAA:

N/A

Private Action:

N/A

Associated Regulations:

N/A

Jump to Page

Constangy, Brooks, Smith & Prophete, LLP Cookie Preference Center

Your Privacy

When using this website, Constangy and certain third parties may collect and use cookies or similar technologies to enhance your experience. These technologies may collect information about your device, activity on our website, and preferences. Some cookies are essential to site functionality, while others help us analyze performance and usage trends to improve our content and features.

Please note that if you return to this website from a different browser or device, you may need to reselect your cookie preferences.

For more information about our privacy practices, including your rights and choices, please see our Privacy Policy. 

Strictly Necessary Cookies

Always Active

Strictly Necessary Cookies are essential for the website to function, and cannot be turned off. We use this type of cookie for purposes such as security, network management, and accessibility. You can set your browser to block or alert you about these cookies, but if you do so, some parts of the site will not work. 

Functionality Cookies

Always Active

Functionality Cookies are used to enhance the functionality and personalization of this website. These cookies support features like embedded content (such as video or audio), keyword search highlighting, and remembering your preferences across pages—for example, your cookie choices or form inputs during submission.

Some of these cookies are managed by third-party service providers whose features are embedded on our site. These cookies do not store personal information and are necessary for certain site features to work properly.

Performance Cookies

Performance cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek