Law
10 L.P.R.A. St § 4051 et seq.
*In Spanish; may be read on Google Chrome with translation tool.
Timing of Consumer Notification
“As expeditiously as possible.”
Method of Notice
Mail. Email permitted if complies with E-SIGN.
Breach Definition
Unauthorized access to data files so that security, confidentiality or integrity of information has been compromised; or when authorized persons or entities access data and it is known or there is reasonable suspicion they have violated professional confidentiality or obtained authorization under false representation with intent to make illegal use of information.
PII Definition
Individual’s first name or first initial and last name in combination with any of these if can be accessed without special cryptographic code:
  1. Social Security Number;
  2. Driver’s license number, voter’s identification or other official identification;
  3. Bank or financial account number of any type, with or without password or access code;
  4. Names of users and passwords or access codes to public or private information systems;
  5. Medical information protected by HIPAA;
  6. Tax information;
  7. Work-related evaluations.
Third Party Notice
If any entity maintains covered information for someone else, it must notify them if access to data by unauthorized persons occurs.
How to Notify
Notice must describe breach in general terms and type of sensitive information compromised. Notice must include toll-free number and Internet site for residents to obtain information or assistance.
Substitute Notice
All: (a) prominent display on webpage and in any informative flier published and sent through mail and email mailing lists; and (b) notification to major media including entity contact information.
Credit Monitoring
Not required.
When to Notify Credit Agencies
Not required.
This State's Law
None.
State Government Agency Notification Required
Yes, Department of Consumer Affairs within 10 days of breach.