Notice to Clients and Friends: Puerto Rico Approves Cybersecurity Bill with Implications on Private Contractors

February 1, 2024

On January 21^st, 2024, Governor Pedro Pierluisi signed the “Cybersecurity Act for the Commonwealth of Puerto Rico (“Ley de Ciberseguridad del Estado Libre Asociado de Puerto Rico”) (hereinafter, “Cybersecurity Act”) which creates a regulatory framework for the protection of digitally stored government data. The Cybersecurity Act creates the position of Chief Information Security Officer and the Cyber Incident Assessment Office under the supervision of the Puerto Rico Innovation and Technology Service (“PRITS“). The Cybersecurity Act entered into effect immediately, with government agencies given six (6) months to comply. As such, PRITS will be the entity responsible for implementing, developing, and coordinating the Government’s public policy on cybersecurity. Below, you will find a summary of the most significant developments:

Applicability

The provisions of the Cybersecurity Act apply to the Executive Branch; any natural or legal person that does business or has contracts with the Government, including, but not limited to, private persons performing public functions and services, but only concerning the public functions and services performed; and to any exercise of public or private administration in which public funds or resources have been dedicated or invested (directly or indirectly), or over which the authority of any public servant has been exercised, as to the data generated as a product of such activities.

Public Policy Established by the Cybersecurity Act

Establish minimum standards and principles of cybersecurity centered on the concept of “zero trust architecture”.
Prohibition against making any type of ransom payment in response to ransomware, with some exceptions such as critical infrastructure and imminent risk of loss of life.
Protect and maintain the confidentiality, integrity, and availability of information stored and/or managed by the government.
Improve capabilities and efforts to deter, detect, prevent, protect, and respond to threats to government data.
To detain and punish the misuse by individuals of all types of information technology used in the commission of criminal acts.
Comply with the basic cybersecurity standards set forth in the Executive Order issued last May 12, 2021, by the President of the United States, Hon. Joe Biden.

Minimum standards and principles of cybersecurity

Every government agency and every government contractor (including private entities) shall comply with and ensure that every natural or legal person doing business or contracting with them complies with at least the minimum cybersecurity standards and principles established in Article 7 of the Cybersecurity Act, emphasizing controls on internet traffic, information protection mechanisms, and encryption usage. The Cybersecurity Act mandates secure remote connections, compliance with industry security certifications, and notification requirements for cybersecurity incidents. Additionally, the Cybersecurity Act stresses the importance of data classification, multifactor authentication, and the establishment of comprehensive cybersecurity education programs. Overall, it sets rigorous standards to safeguard sensitive information and ensure robust cybersecurity practices across government entities and their service providers.

Sanctions

For government agencies found in non-compliance, the daily fine for an incident can range between fifty (50) and one hundred (100) dollars. In cases of obstruction, negligence, bad faith, recklessness, or willful refusal in handling or reporting a Cyberattack, the fine can be from one thousand (1,000) to five thousand (5,000) dollars per violation. As for government contractors, if identified as responsible for non-compliance, monetary penalties up to a cap of the contracted amount, plus any other contractual and consequential damages, including penalties established by applicable local and federal laws, will be applied. In addition, neither that service provider, nor any entity that has a significant number of the same people, may be hired by a government agency or contractor, nor as a subcontractor for five (5) years.