Puerto Rico

See the Summary of U.S. State Data Breach Maps

Quick Facts

Breach Based on Harm Threshold: No
Deadline for Consumer Notice: As expeditiously as possible*
Government Notification Required: Yes

10 P.R. Laws Ann. § 4051-4055

Scope of this Summary:

Notification requirements applicable to entities authorized to operate or do business in Puerto Rico and that own or are custodians of covered info. Some types of businesses may be exempt from some or all of these requirements, and non-commercial entities may be subject to different requirements.

Risk of Harm Threshold

None

Breach Defined

Unauthorized access that compromises the security, confidentiality, or integrity of the covered info; or where authorized persons or entities accessed and violated professional confidentiality standards or obtained authorization under false representation with intent to make illegal use of covered info.

Encryption Safe Harbor

Statute does not apply to information that needs a special cryptographic code to access.

Form of Covered Information

Electronic Only

Covered Information

At least the name or first initial and the surname of a person, together with any of the following data:

  • Social Security number.
  • Driver's license number, voter's identification or other official identification.
  • Bank or financial account numbers of any type with or without passwords or access code that may have been assigned.
  • Names of users and passwords or access codes to public or private information systems.
  • Medical information protected by the HIPAA.
  • Tax information.
  • Work-related evaluations.

Consumer Notice Timing

As expeditiously as possible, consistent with any measures to restore the security of the system.

Consumer Notice Method

By written notice, telephone notice, or electronic notice (if it is the primary method of communication with the resident or is consistent with E-SIGN Act). Substitute notice is available if certain criteria are satisfied.

Consumer Notice Content

The notification shall be clear and conspicuous and include the following:

  • A description of the breach in general terms.
  • A description of the type of sensitive information compromised.
  • A toll-free number and an Internet site for people to use in order to obtain information or assistance.

Delayed Notice

Notification may be delayed if law enforcement needs to secure possible crime scenes and evidence.

Government Notice

* Must notify the Department of Consumer Affairs within a non-extendable term of 10 days after discovery of the breach, and the Department must make a public announcement of the fact within 24 hours of receiving the notification.

Consumer Reporting Agency Notice

N/A

Exceptions for Other Laws

No provision of this chapter shall be interpreted as being prejudicial to those institutional information and security policies that an enterprise or entity may have in force prior to its effectiveness and whose purpose is to provide protection equal to or better than the information on security herein established.

Third-Party Notice

If you resell or provide access to digital data banks containing covered info, you must notify the proprietor, custodian, or holder of said covered info of any breach that allows access to files containing covered info.

Private Right of Action

The Puerto Rico statute allows for private right of action.

Potential Penalties

Violations may result in civil penalties.

This summary is for informational purposes only. It provides general information and not legal advice or opinions regarding specific facts. Additional requirements or conditions may apply to any or all provisions referenced herein. For more information about the state data breach notification laws or other data security matters, please seek the advice of counsel.

Last revised on June 15, 2023