P.R. Laws tit. 10, § 4053
The notice of breach of the security of the system shall be submitted in a clear and conspicuous manner and should describe the breach of the security of the system in general terms and the type of sensitive information compromised. The notification shall also include a toll free number and an Internet site for people to use in order to obtain information or assistance.
To notify the citizens the entity shall have the following options:
(1) Written direct notice to those affected by mail or by authenticated electronic means according to the Digital Signatures Act.
(2) When the cost of notifying all those potentially affected according to subsection (1) of this section or of identifying them is excessively onerous due to the number of persons affected, to the difficulty in locating all persons or to the economic situation of the enterprise or entity; or whenever the cost exceeds one hundred thousand dollars ($100,000) or the number of persons exceeds one hundred thousand [($100,000)], the entity shall issue the notice through the following two (2) steps:
(a) Prominent display of an announcement to that respect at the entities premises, on the web page of the entity, if any, and in any informative flier published and sent through mailing lists both postal and electronic, and
(b) a communication to that respect to the media informing of the situation and providing information as to how to contact the entity to allow for better follow-up. When the information is of relevance to a specific professional or commercial sector, the announcement may be made through publications or programming of greater circulation oriented towards that sector.
History —Sept. 7, 2005, No. 111, § 4; June 19, 2008, No. 97, § 3.