New Data Breach Law in the U.S. Territory of Guam
9 G.C.A. § 48.10, also known as the Guam Data Breach Notification Law, is a data breach and personal privacy law that was passed in the U.S. territory of Guam in 2019. 9 G.C.A. § 48.10 was passed in accordance with legislative means that other states and territories within the U.S. have taken in the past decade for the purposes of protecting citizens and consumers within the U.S. in the event that their personal information is improperly disclosed as a result of a data breach or related security incident. Subsequently, 9 G.C.A. § 48.10 establishes the steps and measures that agencies, business entities, and organizations within the territory of Guam are responsible for taking in the event that they experience a data breach.
How is a data breach defined under 9 G.C.A. § 48.10?
Under 9 G.C.A. § 48.10, a data breach is defined as “the unauthorized access and acquisition of unencrypted and unredacted computerized data that compromises the security or confidentiality of personal information maintained by an individual or entity as part of a database of personal information regarding multiple individuals and that causes, or the individual or entity reasonably believes has caused or will cause, identity theft or other fraud to any resident of Guam.” Alternatively, as it pertains to the scope and application of the law, 9 G.C.A. § 48.10 applies to “individuals, businesses, governmental entities, and other entities that own, license, or maintain personal information.” Conversely, the provisions of the law do not apply to personal information that has been encrypted or redacted.
What are the requirements of agencies, businesses, and organizations under 9 G.C.A. § 48.10?
Under 9 G.C.A. § 48.10, agencies, businesses, and organizations that conduct operations within the territory of Guam are responsible for providing all affected parties with data breach notifications in the event that such an incident occurs. These notices must be provided to affected parties without unreasonable delay and provide said parties with information including the categories of personal information that were disclosed as a result of the data breach, as well as any steps the business or organization has taken to determine the scope and severity of the data breach, among other pertinent details. To this end, the following forms of personal information, in conjunction with a “first name, or first initial, and last name in combination with and linked to any one or more of the following data elements that are neither encrypted nor redacted”, are protected under 9 G.C.A. § 48.10:
- Social security numbers.
- Driver’s license numbers or Guam identification card numbers that may be issued in lieu of a driver’s license.
- Financial account numbers, credit or debit card numbers, as well as any required access code, security code, or password that would allow access to an individual’s financial accounts or related records.
What are the exceptions to 9 G.C.A. § 48.10?
Businesses and organizations within Guam may provide substitute data notices to affected parties in the event that a data breach occurs, albeit under certain circumstances. Such circumstances include instances where providing standard data breach notices would cost a business or organization more than $10,000, the affected parties totals more than 5,000 individuals, or a business or organization does not have sufficient contact information or consent to provide affected parties with standard notification. Moreover, these substitute notices must be made available via email if the affected business or organization has such contact information, must be conspicuously posted on the website of a business or organization permitting they have one, and must also be sent to major media outlets within the territory of Guam.
Furthermore, as it concerns the enforcement of the law, 9 G.C.A. § 48.10 is enforced by the Office of the Attorney General of Guam. As such, organizations and businesses within Guam that fail to comply with the provisions set forth in the law are subject to a range of penalties. As stated in the law, a “violation resulting in injury or loss may be enforced by the Attorney General who has exclusive authority to bring an action for actual damages or for a civil penalty not to exceed $150,000 per breach of the security of the system or per series of similar breaches discovered in a single investigation.” Additionally, third parties who collect or process personal information on behalf of a business or organization within Guam are also subject to these penalties should they be found in violation of the law.
As all fifty states within the U.S. had effectively passed some form of data breach notification law by 2018, the various other territories that comprise the U.S. have enacted similar legislation in recent years. As a result of such advancements, the Guam Data Breach Notification Law was passed in 2019 for the purpose of ensuring that the personal information of residents of the territory is protected in the event that said information is improperly disclosed in a data breach. To this point, despite the fact that the U.S. has yet to pass a federal comprehensive data privacy law such as the EU’s GDPR law, every sector within the country now has some form of data breach notification coverage, whether it be an official state or territorial jurisdiction.