Any entity that is the owner or custodian of a database that includes personal information of citizens residents of Puerto Rico must notify said citizens of any breach of the security of the system when the database whose security has been breached contains, in whole or in part, personal information files and the same are not protected by an encrypted code but only by a password.
Any entity that as part of their operations resells or provides access to digital data banks that at the same time contain personal information files of citizens must notify the proprietor, custodian or holder of said information of any violation of the system’s security that has allowed access to those files to unauthorized persons.
Clients must be notified as expeditiously as possible, taking into consideration the need of law enforcement agencies to secure possible crime scenes and evidence as well as the application of measures needed to restore the system’s security. Within a non-extendable term of ten (10) days after the violation of the system’s security has been detected, the parties responsible shall inform the Department, which shall make a public announcement of the fact within twenty-four (24) hours after having received the information.
History —Sept. 7, 2005, No. 111, § 3; June 19, 2008, No. 97, § 2.