Cybersecurity regulation in Puerto Rico (2026)

Approved January 18, 2024, Act 40-2024 creates a binding cybersecurity framework for the executive branch, its agencies and public corporations, and for any natural or legal person doing business with or contracting with the Government, mandating encryption, data classification, multi-factor authentication and a 'zero trust architecture' approach.

Covered entities must report cybersecurity incidents to the Office for Cyber Incident Evaluation within 48 hours. The law establishes a Chief Information Security Officer (CISO) under PRITS, which sets minimum standards and may terminate non-compliant government contracts.

Government entities and their contractors are prohibited from paying ransomware demands (limited case-by-case exceptions for immediate public-safety/critical-infrastructure risk). Non-compliance carries daily fines up to $100, penalties up to $5,000 for gross negligence/willful misconduct, and restrictions on future government contracts.

The Citizen Information on Data Banks Security Act (10 LPRA §§ 4051 et seq.) requires any holder of a database with PR residents' personal information to notify affected individuals and report to the Department of Consumer Affairs (DACO) within 10 days of detecting an unauthorized-access breach; fines range from $500 to $5,000 per violation.

The Office of the Commissioner of Insurance adopted Rule 108 (Sept 10, 2024), modeled on the NAIC Insurance Data Security Model Law, requiring insurers doing business in PR to maintain a written cybersecurity program; breaches affecting >250 local residents must be reported to OCS within 72 hours of concluding the investigation, and affected individuals notified within 10 days.

As an unincorporated U.S. territory, Puerto Rico is also subject to applicable U.S. federal cybersecurity and sectoral data-security regimes (e.g., HIPAA, GLBA, and CISA/SLCGP programs); Puerto Rico has received State and Local Cybersecurity Grant Program funding (~$12.6M over four years) to strengthen government, municipal and critical-infrastructure cyber posture.