Breach Based on Harm Threshold: No
Deadline for Consumer Notice: As expeditiously as possible*
Government Notification Required: Yes
Scope of this Summary:
Notification requirements applicable to entities authorized to operate or do business in Puerto Rico and that own or are custodians of covered info. Some types of businesses may be exempt from some or all of these requirements, and non-commercial entities may be subject to different requirements.
Risk of Harm Threshold
Unauthorized access that compromises the security, confidentiality, or integrity of the covered info; or where authorized persons or entities accessed and violated professional confidentiality standards or obtained authorization under false representation with intent to make illegal use of covered info.
Encryption Safe Harbor
Statute does not apply to information that needs a special cryptographic code to access.
Form of Covered Information
At least the name or first initial and the surname of a person, together with any of the following data:
- Social Security number.
- Driver's license number, voter's identification or other official identification.
- Bank or financial account numbers of any type with or without passwords or access code that may have been assigned.
- Names of users and passwords or access codes to public or private information systems.
- Medical information protected by the HIPAA.
- Tax information.
- Work-related evaluations.
Consumer Notice Timing
As expeditiously as possible, consistent with any measures to restore the security of the system.
Consumer Notice Method
By written notice, telephone notice, or electronic notice (if it is the primary method of communication with the resident or is consistent with E-SIGN Act). Substitute notice is available if certain criteria are satisfied.
Consumer Notice Content
The notification shall be clear and conspicuous and include the following:
- A description of the breach in general terms.
- A description of the type of sensitive information compromised.
- A toll-free number and an Internet site for people to use in order to obtain information or assistance.
Notification may be delayed if law enforcement needs to secure possible crime scenes and evidence.
* Must notify the Department of Consumer Affairs within a non-extendable term of 10 days after discovery of the breach, and the Department must make a public announcement of the fact within 24 hours of receiving the notification.
Consumer Reporting Agency Notice
Exceptions for Other Laws
No provision of this chapter shall be interpreted as being prejudicial to those institutional information and security policies that an enterprise or entity may have in force prior to its effectiveness and whose purpose is to provide protection equal to or better than the information on security herein established.
If you resell or provide access to digital data banks containing covered info, you must notify the proprietor, custodian, or holder of said covered info of any breach that allows access to files containing covered info.
Private Right of Action
The Puerto Rico statute allows for private right of action.
Violations may result in civil penalties.