Puerto Rico

See the Summary of U.S. State Data Breach Maps

Quick Facts

Breach Based on Harm Threshold: NO
Deadline for Consumer Notice: As expeditiously as possible
Government Notification Required: YES

10 P.R. Laws Ann. § 4051-4055

More Details

Scope of this Summary

Notification requirements applicable to entities authorized to operate or do business in Puerto Rico and that own or are custodians of covered info. Some types of businesses may be exempt from some or all of these requirements and non-commercial entities may be subject to different requirements.

Covered Info

First name or first initial and last name, plus: Social Security number; driver's license number, voter identification or other official identification; bank or financial account number of any type, with or without any associated password or access code; names of users and passwords or access codes to public or private info systems; medical info protected by HIPAA; tax information; work-related evaluations.

Form of Covered Info

Electronic Only.

Encryption Safe Harbor

Statute does not apply to information that needs a special cryptographic code to access.

Breach Defined

Unauthorized access that compromises the security, confidentiality, or integrity of the covered info; or where authorized persons or entities accessed and violated professional confidentiality standards or obtained authorization under false representation with intent to make illegal use of covered info.

Consumer Notice

Timing: As expeditiously as possible consistent with any measures to restore the security of the system.

Content: Notice must be submitted in a clear and conspicuous manner, should describe the breach in general terms and the type of sensitive info compromised, and include a toll-free number and Internet site for people to obtain information or assistance.

Method: By written notice or by authenticated electronic means according to the Digital Signatures Act. Substitute notice is available if certain criteria are satisfied.

Delayed Notice

Notification may be delayed if law enforcement needs to secure possible crime scenes and evidence of the breach.

Government Notice

*Must notify the Department of Consumer Affairs within a non-extendable term of 10 days after discovery of the breach, and the Department must make a public announcement of the fact within 24 hours of receiving the notification.

Third-Party Notice

If you resell or provide access to digital data banks containing covered info, you must notify the proprietor, custodian, or holder of said covered info of any breach that allows access to files containing covered info.

Potential Penalties

Violations may result in civil penalties.

This summary is for informational purposes only. It provides general information and not legal advice or opinions regarding specific facts. Additional requirements or conditions may apply to any or all provisions referenced herein. For more information about the state data breach notification laws or other data security matters, please seek the advice of counsel.

Last revised on July 28, 2019