AMP.legal - Data Breach Laws

Browse data breach notification laws in the United States by states or territories. This database currently includes breach statutes for a business that collects personal information. This database is for informational purposes only and may not be up-to-date. Please review our Terms of Service. Report any errors or issues to: webmaster@amp.legal.

Last Updated	Puerto Rico breach law summary was last updated on 07/02/2017
Statute	10 Laws of Puerto Rico §§ 4051 et seq. [View Source] [Download PDF]
Covered Entities	Any entity that is the proprietor or custodian of a data bank for commercial use that includes personal information of citizens who reside in Puerto Rico.
Covered Information	"Personal Information" includes First Name (or First Initial) and Last Name PLUS one of the following: Social security number Driver's license number, voter's identification or other official identification Bank or financial account numbers of any type with or without passwords or access code that may have been assigned Names of users and passwords or access codes to public or private information systems Medical information protected by the HIPAA Tax information Work-related evaluations
Form of Information	Electronic
Breach Trigger	Access has been permitted to unauthorized persons or entities to the data files so that the security, confidentiality or integrity of the information in the data bank has been compromised; or when normally authorized persons or entities have had access and it is known or there is reasonable suspicion that they have violated the professional confidentiality or obtained authorization under false representation with the intention of making illegal use of the information. This includes both access to the data banks through the system and physical access to the recording media that contain the same and any removal or undue retrieval of said recordings.
Encryption Safe Harbor	Yes. Any entity that is the proprietor or custodian of a data bank for commercial use that includes personal information of citizens who reside in Puerto Rico must notify said citizens of any violation of the system's security when the data bank whose security has been violated contains all or part of the personal information file and the same is not protected by a cryptographic code but only by a password.
Risk of Harm Analysis	No.
Consumer Notice	Any entity that is the proprietor or custodian of a data bank for commercial use that includes personal information of citizens who reside in Puerto Rico must notify said citizens of any violation of the system's security when the data bank whose security has been violated contains all or part of the personal information file and the same is not protected by a cryptographic code but only by a password.
Government Agency Notice	Yes. Within a non-extendable term of ten (10) days after the violation of the system's security has been detected, the parties responsible shall inform the Department, which shall make a public announcement of the fact within twenty-four (24) hours after having received the information.
Credit Agency Notice	No.
Penalties	Yes, up to $5,000 for each violation. The Secretary may impose fines of five hundred dollars ($500) up to a maximum of five thousand dollars ($5,000) for each violation of the provisions of this chapter or its regulations.
Private Cause of Action	Yes. The fines provided in this section do not affect the rights of the consumers to initiate actions or claims for damages before a competent court.