The Constangy Cyber Team understands the paramount importance of staying informed about the intricacies of data breach notification regulations. With our Cybersecurity & Data Privacy Desktop Reference and these interactive maps, we provide guidance to navigate these complexities. Our interactive maps offer you online access to our succinct summaries of the essential aspects of various consumer and regulatory notification obligations. Please contact us should you have any questions. We look forward to working with you should you have to navigate the consumer notification and/or regulatory reporting process.  

The information provided in the map is meant to serve as a helpful guide and is not intended to be legal advice. 

Back To Map
Rapid Response Hotline 877.382.2724

Puerto Rico

State Data Breach Notification Statute

Highlights

Covered Entities: An agency, board, body, examining board, corporation, public corporation, committee, independent office, division, administration, bureau, department, authority, official, instrumentality or administrative branch of the government; and every corporation partnership, association, private company, or organization authorized to do business or operate in Puerto Rico, and any public or private educational institution.

Consumer Notification: Notification must be provided to any Puerto Rico resident whose unencrypted personal information is accessed without authorization.

Regulatory Notification: Notification must be provided to the Department of Consumer Affairs within 10 days of the discovery of a “breach.” Government agencies and public corporations may have additional reporting obligations.

Notification Timeline: Notification must be provided as expeditiously as possible, subject to measures necessary to restore the integrity of the system.

Data Format: Electronic and physical.

Citations: 10 L.P.R.A. §§ 4051–4055

More Details

Definitions:

  • Breach: Unauthorized access to computerized data that compromises the security, confidentiality, or integrity of personal information, or when normally authorized individuals or entities have accessed personal information and the covered entity knows or reasonably suspects the normally authorized accessor has violated professional confidentiality or obtained authorization for access under false representations with the intention of illegally using the information.
  • Personal Information (PI):
    • An individual’s first name / first initial and last name in combination with one or more of the following data elements:
      • Social Security number;
      • Driver’s license number, voter’s identification or other official identification;
      • Bank or financial account numbers of any kind, with or without any access codes; 
      • Usernames plus a password or access code that would permit access to information systems;
      • Medical information;
      • Tax information;
      • Work-related evaluations.
  • Medical Information: Medical information protected by the Health Insurance Portability and Accountability Act.
  • Health Insurance Information: N/A

Safe Harbors:

  • Encryption: Notification is not required where the potentially impacted PI is encrypted.
  • Good Faith: N/A
  • Risk of Harm: N/A
  • Law Enforcement Delay: Notification may be delayed if a law enforcement agency determines that the investigation will impede a criminal investigation.

Direct Notice:

  • Timing: Notification must be provided as expeditiously as possible, subject to measures necessary to restore the integrity of the system.
  • Format: Notification must be provided in a clear and conspicuous manner.
  • Content: Notification must include:
    • A general description of the “breach”;
    • The type(s) of PI impacted;
    • A toll-free number and website for affected individuals to obtain information or assistance
  • Method: Notification must be provided (1) by written notice or electronic methods in compliance with the Digital Signatures Act; or (2) by substitute notice.

Substitute Notice:

An entity may provide substitute notice if the cost of direct notice or identification is (1) excessively onerous due to the population size or the difficulty in locating all individuals; (2) the cost exceeds $100,000; or (3) the notification population exceeds 100,000. It must include: (1) prominent display at the entity’s premises, on the entity’s webpage, and in any mailing list; and (2) notice to the media including information about the “breach” and contact information.

Remediation Services:

N/A 

Regulatory Notice:

Notification must be provided to the Department of Consumer Affairs within 10 days of the discovery of a “breach.” Government agencies and public corporations may have additional reporting obligations.

Credit Reporting Agencies Notice:

N/A

Third-Party Notice:

Any entity that resells or provides access to databases containing PI must notify the owner, custodian, or holder of PI of a “breach.” 

HIPAA:

N/A

Private Action:

N/A

Associated Regulations:

N/A

Back to Page