Skip to main content

Puerto Rico

Click here to review text of state statute (see Laws of Puerto Rico, Title 10, Subtitle 3, Chapter 310,  §4051 et seq.)

Return to Index of States

Click here to download a print-version of the Mintz Matrix

Information Covered / Important Definitions

Information covered:

Personal information of Puerto Rico residents.

Definition includes (i) names of users and passwords or access codes to public or private information systems, (ii) medical information protected by HIPAA, (iii) tax information, and (iv) work-related evaluations.

Mailing and residential addresses are not included in the definition.

Important definitions:

“Security Breach” means any situation in which it is detected that access to personal information has been permitted to unauthorized persons or entities so that the security, confidentiality, or integrity of the information has been compromised; or, when those persons authorized to access personal information may have violated the professional confidentiality or obtained authorization under false representation with the intention of making illegal use of the information.  The definition includes both physical and electronic intrusions.

Covered Entities* / Third Party Recipients

Subject to statute:

Any entity that is the proprietor or custodian of a database that includes personal information of citizen residents of Puerto Rico.

Third party recipients:

Any entity that as part of its operations resells or provides access to digital data banks that at the same time contain personal information files of Puerto Rico citizens must notify the proprietor, custodian, or holder of the information of any security breach.

Notice Procedures & Timing / Other Obligations

Written direct notice or authenticated electronic notice must be provided to victims of a security breach as expeditiously as possible, unless a law enforcement agency determines that notice will impede a criminal investigation (in which case notification is delayed until authorized by law enforcement).

  • Notice to affected persons is required to contain specific content described in statute.
  • Substitute notice is available by means prescribed in the statute if costs to exceed $100,000, affected class exceeds 100,000 persons, or covered entity has insufficient contact information. Substitute notice may be available in other situations if notification is unduly onerous or difficult.

Encryption Safe Harbor / Other Exemptions

Encryption Safe Harbor:

Statute only applies to data that is not protected by a special cryptographic code.

Notification to Regulator / Waiver

Department of Consumer Affairs must be notified of any security breach within ten (10) days of detection of security breach. 

The Department will make a public announcement about security breach within 24 hours of receiving notification from the covered entity.


Fines of $500 up to a maximum of $5000 for each violation.

Private Cause of Action / Enforcement

Private Cause of Action: Yes.

Consumers may bring actions in a competent court for damages.


Note: Please refer to individual state statutes for a complete list of covered entities as the list of legal and commercial entities described in this chart as “subject to statute” in most cases is not exhaustive.  Please also note that rules applicable to state agencies, government bodies and other public institutions are not discussed in this chart.

Click here to review text of state statute (see Laws of Puerto Rico, Title 10, Subtitle 3, Chapter 310,  §4051 et seq.)

Return to Index of States

Click here to download a print-version of the Mintz Matrix

Subscribe To Viewpoints