Fall 2006-04 New DACO regulation on information security
Arrow Down
  1. Home
  2.  » 
  3. News & Publications
  4.  » 
  5. Archived News Letters
  6.  » Fall 2006-04 New DACO regulation on information security

Fall 2006-04 New DACO regulation on information security

newsletter header

Number 65
Fall 2006

New DACO regulation on information security

Infringement of information security is the subject of a new regulation promulgated by the Puerto Rico Department of Consumer Affairs (DACO)-Regulation Number 7207.


Data banks


It provides that entities that maintain data banks with information that include the names of persons and at least one of the other items listed below, must deliver certain notices whenever it discovers a security breach. The list of other items is the following:

  • Social Security number,
  • number of driver’s license, electoral card or other official identification,
  • bank account number (whether or not protected by an access code),

user name and access code,

medical information protected by HIPAA,

tax information, or

work performance evaluation.




The regulation does not apply if the information in question is limited to mailing or residential addresses, or other data available to the general public. Also exempted are data banks protected by cryptographic code, as well as those not kept for commercial purposes.




If a breach in security happens, the entity keeping the information must notify the persons affected as soon as possible. It must also give notice to the entity from which it acquired the data, or who provides it access to the data.

The notice must be in writing and must contain certain information listed in the regulation.


Alternate notification


The regulation permits alternate means of notification, such as advertising in the press, if the cost of individual notifications exceeds $100,000, or if individual notifications are otherwise too onerous, given the number of persons involved, difficulty in locating them or the entity’s economic condition.


Notice to DACO


In addition, the breach must be notified to DACO within ten days of its discovery. DACO, in turn, must make a public announcement, if notice to all persons affected was not possible.

© 2006 Goldman Antonetti & Cordóva, LLC