Data Breach Notification Law on the Island of Puerto Rico

Statute 10 L.P.R.A. St § 4051, otherwise known as the Puerto Rico Data Breach Notification Law, is a data breach notification law that was passed in the U.S. territory of Puerto Rico in 2006. As of 2022, every state or territory within the U.S. has passed some form of data breach notification legislation for the purpose of protecting American consumers from the adverse consequences of a data breach. To this end, 10 L.P.R.A. St § 4051 establishes the protocols and procedures that organizations and businesses within Puerto Rico must follow in the event that a data breach occurs. Moreover, the law also establishes the punishments that can be imposed against businesses and organizations that fail to comply with the provisions set forth in the law.

How is a data breach defined?

Under Statute 10 L.P.R.A. St § 4051, a data breach is defined as “any situation in which it is detected that access has been permitted to unauthorized persons or entities to the data files so that the security, confidentiality or integrity of the information in the data bank has been compromised; or when normally authorized persons or entities have had access and it is known or there is reasonable suspicion that they have violated the professional confidentiality or obtained authorization under false representation with the intention of making illegal use of the information. This includes both access to the data banks through the system and physical access to the recording media that contain the same and any removal or undue retrieval of said recordings.”

What kinds of personal information are covered?

Under Statute 10 L.P.R.A. St § 4051, the following categories of personal information are covered under the law, in conjunction with the first name, initial, or surname of an individual residing within Puerto Rico:

• Social security numbers.
• Driver license numbers, voter’s identification, or any other form of official identification.
• Financial account and banking credentials, with or without assigned passwords or access codes.
• The names of users, as well as passwords and access codes that may be used for private or public systems.
• Medical information that is protected in accordance with the Health Insurance Portability and Accountability Act or HIPAA.
• Tax information.
• Information related to work-related evaluations.

What are the requirements of businesses and organizations?

Under Statute 10 L.P.R.A. St § 4051, businesses and organizations that conduct operations within Puerto Rico are required to provide consumers of the territory with data breach notices in the event that said consumers have their personal information disclosed as a result of a data breach or related security incident. These notices must be submitted to affected parties in a clear and conspicuous manner and describe the categories of personal information that were disclosed in the breach in general terms. Furthermore, these notices must also include a toll-free number as well as an internet website that affected consumers can use to obtain further information or assistance concerning the data breach that occurred.

In terms of the enforcement of Statute 10 L.P.R.A. St § 4051, the provisions set forth in the law are enforced by the Secretary of Justice of Puerto Rico. As such, businesses and organizations that fail to provide consumers within Puerto Rico with data breach notices in the event that a data breach occurs are subject to a number of penalties under the law. As stated in Statute 10 L.P.R.A. St § 4051, the “Secretary may impose fines of five hundred dollars ($500) up to a maximum of five thousand dollars ($5,000) for each violation of the provisions of this chapter or its regulations. The fines provided in this section do not affect the rights of the consumers to initiate actions or claims for damages before a competent court.”

Despite the fact that the country of Puerto Rico is a U.S. territory as opposed to a state, data breach notification legislation within the country has been in place more than a decade longer than many other such state laws that have been passed in recent years. As such, residents of Puerto Rico can rest assured that they have the means to receive both assistance, justice, and ultimately compensation for damages that incur as a result of a data breach incident that leads to the unauthorized disclosure of their personal information. In this way, residents of the island can enjoy a higher level of privacy protection, despite the fact that the U.S. has yet to pass a federal comprehensive data privacy law concerning such matters.