New Data Breach Law in the U.S. Territory of Guam

January 06, 2022 | 4 minutes read
New Data Breach Law in the U.S. Territory of Guam

9 G.C.A. § 48.10, also known as the Guam Data Breach Notification Law, is a data breach and personal privacy law that was passed in the U.S. territory of Guam in 2019. 9 G.C.A. § 48.10 was passed in accordance with legislative means that other states and territories within the U.S. have taken in the past decade for the purposes of protecting citizens and consumers within the U.S. in the event that their personal information is improperly disclosed as a result of a data breach or related security incident. Subsequently, 9 G.C.A. § 48.10 establishes the steps and measures that agencies, business entities, and organizations within the territory of Guam are responsible for taking in the event that they experience a data breach.

How is a data breach defined under 9 G.C.A. § 48.10?

Under 9 G.C.A. § 48.10, a data breach is defined as “the unauthorized access and acquisition of unencrypted and unredacted computerized data that compromises the security or confidentiality of personal information maintained by an individual or entity as part of a database of personal information regarding multiple individuals and that causes, or the individual or entity reasonably believes has caused or will cause, identity theft or other fraud to any resident of Guam.” Alternatively, as it pertains to the scope and application of the law, 9 G.C.A. § 48.10 applies to “individuals, businesses, governmental entities, and other entities that own, license, or maintain personal information.” Conversely, the provisions of the law do not apply to personal information that has been encrypted or redacted.

What are the requirements of agencies, businesses, and organizations under 9 G.C.A. § 48.10?

Under 9 G.C.A. § 48.10, agencies, businesses, and organizations that conduct operations within the territory of Guam are responsible for providing all affected parties with data breach notifications in the event that such an incident occurs. These notices must be provided to affected parties without unreasonable delay and provide said parties with information including the categories of personal information that were disclosed as a result of the data breach, as well as any steps the business or organization has taken to determine the scope and severity of the data breach, among other pertinent details. To this end, the following forms of personal information, in conjunction with a “first name, or first initial, and last name in combination with and linked to any one or more of the following data elements that are neither encrypted nor redacted”, are protected under 9 G.C.A. § 48.10:

What are the exceptions to 9 G.C.A. § 48.10?

Businesses and organizations within Guam may provide substitute data notices to affected parties in the event that a data breach occurs, albeit under certain circumstances. Such circumstances include instances where providing standard data breach notices would cost a business or organization more than $10,000, the affected parties totals more than 5,000 individuals, or a business or organization does not have sufficient contact information or consent to provide affected parties with standard notification. Moreover, these substitute notices must be made available via email if the affected business or organization has such contact information, must be conspicuously posted on the website of a business or organization permitting they have one, and must also be sent to major media outlets within the territory of Guam.

Furthermore, as it concerns the enforcement of the law, 9 G.C.A. § 48.10 is enforced by the Office of the Attorney General of Guam. As such, organizations and businesses within Guam that fail to comply with the provisions set forth in the law are subject to a range of penalties. As stated in the law, a “violation resulting in injury or loss may be enforced by the Attorney General who has exclusive authority to bring an action for actual damages or for a civil penalty not to exceed $150,000 per breach of the security of the system or per series of similar breaches discovered in a single investigation.” Additionally, third parties who collect or process personal information on behalf of a business or organization within Guam are also subject to these penalties should they be found in violation of the law.

As all fifty states within the U.S. had effectively passed some form of data breach notification law by 2018, the various other territories that comprise the U.S. have enacted similar legislation in recent years. As a result of such advancements, the Guam Data Breach Notification Law was passed in 2019 for the purpose of ensuring that the personal information of residents of the territory is protected in the event that said information is improperly disclosed in a data breach. To this point, despite the fact that the U.S. has yet to pass a federal comprehensive data privacy law such as the EU’s GDPR law, every sector within the country now has some form of data breach notification coverage, whether it be an official state or territorial jurisdiction.

Related Reads

Blurring Faces from Videos and The Truth About Body-Worn Camera Privacy
September 06, 2023 | 4 minutes read
Blurring Faces from Videos and The Truth About Body-Worn Camera Privacy

Body-worn cameras are an essential piece of equipment for law enforcement officers and the redaction of faces from BWC footage is necessary to protect the privacy of individuals.

Learn More »
Sensitive Information, Protected: Patient Privacy, HIPAA, And You
August 30, 2023 | 4 minutes read
Sensitive Information, Protected: Patient Privacy, HIPAA, And You

HIPAA compliance ensures patient privacy. Often making the consequences of non-compliance severe, so how do you avoid that?

Learn More »
Protecting Privacy in the Healthcare Field: PII, PHI & PCI
July 12, 2023 | 5 minutes read
Protecting Privacy in the Healthcare Field: PII, PHI & PCI

Healthcare professionals handle a wide range of sensitive data that is crucial for delivering quality care. But protecting that data is getting harder.

Learn More »
FISA Section 702, Is The US Government Monitoring You?
June 26, 2023 | 6 minutes read
FISA Section 702, Is The US Government Monitoring You?

Is there a give-and-take relationship that must be accepted when it comes to keeping the country safe? Should U.S. persons be okay with the incidental collection of their conversations in the name of national security under FISA Section 702? Even when it violates their constitutional rights? Well, that’s up to Congress to decide.

Learn More »
The Gap You Won’t Want to Close: Air-Gapped Systems
June 05, 2023 | 6 minutes read
The Gap You Won’t Want to Close: Air-Gapped Systems

An air-gapped system is a computer, or network that is physically isolated from any external connections and networks which includes the Internet. It operates in total isolation with neither wired nor wireless connections to other devices.

Learn More »
Arizona’s Proposed New Law on Public Records Requests
March 13, 2023 | 7 minutes read
Arizona’s Proposed New Law on Public Records Requests

A Bit of History The date February 14th might stand out to most of us, and if you haven’t figured out why, it’s because it is the anniversary of Arizona’s Statehood. Over 100 years ago, Arizona became the 48th state to be admitted into the United States. Since governance is as old as human history, […]

Learn More »