Alerts & Publications

Puerto Rico Outlines Minimum Cybersecurity Standards for Government Entities and their Contractors

 | ⏱ 2 minute read

On January 18, 2024, the Governor of Puerto Rico signed into law the Cybersecurity Act of the Commonwealth of Puerto Rico, Act No. 40-2024 (“Act 40”). Act 40 introduces a comprehensive cybersecurity framework required to be adopted by the Executive Branch of the Commonwealth of Puerto Rico, its agencies, departments, public corporations (the “Government”), and any natural or legal person doing business or having contracts with the Government (the “Contractors”).

Accordingly, the Government and its Contractors are required to, among others:

  • establish control mechanisms to stop inappropriate material, malware and other threats
  • establish control mechanisms to protect the confidentiality and integrity of information, including the use of encryption in their systems
  • establish policies regarding the adequate use of information systems
  • report any cybersecurity incident within 48 hours; and
  • comply with industry practice and standards when accepting credit cards payments in web portals.

Under Act 40, the Puerto Rico Innovation and Technology Service (“PRITS”) is entrusted with the responsibility of ensuring the secure administration of information resources and implementing regulations, standards, and procedures pertaining to the security of information technologies at the governmental level. PRITS, together with the Puerto Rico Bureau of Statistics, are mandated to publicly disclose cybersecurity incident statistics reported by governmental agencies on their respective websites. Act 40 also creates a Chief Information Security Officer of the Government position, which, among other functions, will oversee the Office for Cyber Incident Assessment. This Office is tasked with establishing cybersecurity protocols and overseeing compliance with Act 40.

Puerto Rico government agencies are required to confer with PRITS before engaging in any contract, amendment, or renewal with a Contractor. Act 40 empowers PRITS to terminate contracts that are found to be non-compliant with the established cybersecurity standards.

The Government has until July 18, 2024, to comply with the provisions of Act 40.

The content of this McV Alert has been prepared for information purposes only. It is not intended as, and does not constitute, either legal advice or solicitation of any prospective client. An attorney-client relationship with McConnell Valdés LLC cannot be formed by reading or responding to this McV Alert. Such a relationship may be formed only by express agreement with McConnell Valdés LLC.

Jump to Page

McConnell Valdés LLC Cookie Preference Center

Your Privacy

When you visit our website, we use cookies on your browser to collect information. The information collected might relate to you, your preferences, or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. For more information about how we use Cookies, please see our Privacy Policy.

Strictly Necessary Cookies

Always Active

Necessary cookies enable core functionality such as security, network management, and accessibility. These cookies may only be disabled by changing your browser settings, but this may affect how the website functions.

Functional Cookies

Always Active

Some functions of the site require remembering user choices, for example your cookie preference, or keyword search highlighting. These do not store any personal information.

Form Submissions

Always Active

When submitting your data, for example on a contact form or event registration, a cookie might be used to monitor the state of your submission across pages.

Performance Cookies

Performance cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek
balustrade37