Tag: privacy

A Puerto Rico Agency Exposed 1 Million Social Security Numbers and Denied Anything Happened. What Would You Do If This Happened to Your Business?

Can a government agency simply decide a data exposure doesn’t count as a breach — and walk away from its notification duties because of that decision? This is presently playing out in Puerto Rico. Investigative reporters at Centro de Periodismo Investigativo and ProPublica discovered that CRIM (Puerto Rico’s Municipal Revenue Collection Center) had a security gap in its public property-mapping tool, Catastro Digital, that let anyone who understood how the site requested data download unprotected personal information — including the Social Security numbers of roughly 1 million people — without ever needing a username or password. 

The reporters notified CRIM directly in mid-June, with specifics on the exact server and folders involved. CRIM’s executive director publicly denied any breach had occurred, said the agency wouldn’t notify affected citizens because no protected information was “at risk,” and — separately — never reported the incident to the Puerto Rico Innovation and Technology Service (“PRITS”), Puerto Rico’s own government IT oversight agency, despite a legal requirement to do so. Whatever position CRIM ultimately takes, this is a useful, real case study in exactly what Puerto Rico law requires when personal data is exposed — and what happens when an entity takes the position that it wasn’t.

Two Different Puerto Rico Laws Are in Play Here — And They Point in Different Directions

This story is a good illustration of something worth understanding clearly: Puerto Rico has two separate statutes governing incidents like this, and they don’t route to the same place.

  1. Puerto Rico’s Cybersecurity Law, Law Number 40 of January 18, 2024 (“Law 40“) – This law applies government agencies and government contractors. CRIM is a government agency, so it is bound by Act 40’s requirements: set minimum cybersecurity standards, conduct mandatory annual risk assessments, and — central to this story — establish a protocol requiring agencies to inform PRITS (Puerto Rico’s Innovation & Technology Service) of any suspected security incident. According to CPI and ProPublica, CRIM did not do that here.
  2. The Puerto Rico Data Breach Notification Act, Law Number 111 of 2005 (“Law 111”) — the breach notification law covered in our previous post about Oriental and Evertec — applies broadly. Its definition of “entity” explicitly includes agencies, boards, commissions, and instrumentalities of all 3 branches of Puerto Rico’s government, not just private businesses. CRIM, as a government agency, appears to be as covered by Law 111 as much as Oriental Bank. The law’s trigger — unauthorized access to a personal information file containing a name paired with a Social Security number, readable without special encryption — maps directly onto what was reportedly exposed here.

These statutes differ on which agency handles a breach. Under Article 7 of Law 111, when a breach happens at a government agency or public corporation, jurisdiction doesn’t go to DACO (the path a private business like Oriental Bank would follow) — it goes to the Puerto Rico Ombudsman (Oficina del Procurador del Ciudadano), which is required to designate a specialized prosecutor for exactly this kind of case. That’s a meaningfully different enforcement track than the private-sector cases we covered before.

“I Don’t Run a Government Agency. Why Should I Care About This?”

If you’re a business owner reading this and thinking “I’m not a government agency, so this doesn’t apply to me” — here are a few reasons why this story is still directly relevant to you:

  • If you have contracts with the Puerto Rican Government, its municipalities, or public corporations, Law 40 might apply to you. Article 2 of the Law extends its applicability to government contractors with regards to the public services it provids and information generated through the contracts. If you have a contract with the government, you should know exactly how Law 40 affects your work.
  • “We don’t think it’s a breach” isn’t a compliance strategy — it’s a gamble. Law 111’s notification trigger is unauthorized access to protected personal information, not a company’s (or agency’s) own characterization of the severity. If your business takes the position that an exposure “doesn’t count,” you’re making a legal judgment call that a regulator, a court, or an investigative reporter could later disagree with — and by then, the notification clock has already been running and you will face substantial penalties.
  • Discovery by a third party is worse than discovery by you. CRIM didn’t find this — journalists did, gave the agency specifics, and still got a public denial. If your business’s data breach is discovered by a customer, a competitor, or a reporter instead of your own IT department, the story becomes as much about the response as the incident itself.
  • Vendor and platform exposure isn’t limited to obvious “hacks.” This wasn’t a sophisticated intrusion — it was a public-facing tool that simply didn’t properly protect the access to underlying personal data. The same category of risk exists anywhere a business exposes forms, APIs, dashboards, or downloadable reports to the public without checking exactly what data those tools can actually return.
  • A slow or defensive public response compounds the exposure. Whatever the legal outcome here, the reputational and regulatory scrutiny that follows a denial — rather than a prompt, transparent response — tends to be worse than the underlying incident, especially once the story is already public.

Is Your Business Ready if Something Like This Happened to It?

  • Treat “is this a breach?” as a legal question, not a public relations question. Run any exposure through Law 111’s and Law 40’s actual definitions before deciding whether notification is required — not through how the incident might look in a headline.
  • Test what your public-facing tools can actually return, not just what they display by default. A search interface that “doesn’t show” sensitive data in its normal results can still expose that data through the underlying request structure, exactly as reported here.
  • Know which regulator has jurisdiction before an incident happens. Private businesses answer to DACO; government agencies and public corporations answer to the Ombudsman. Knowing the process in advance avoids losing time figuring it out during an active incident.
  • Determine how Law 40 might apply to you. If any of your businesses handles data as part of its obligations set in a Puerto Rico government contract, you need to know how  – and whether – this law reaches that specific part of your work.
  • Build a notification decision tree in advance, so that answering the question “was this a breach?” isn’t being decided reactively, under scrutiny, by whoever happens to be fielding the press call that day.

Conclusion

This story is a real-time example of what happens when a public or private entity takes the position that an exposure isn’t a legally significant breach, instead of analyzing the situation through potentially applicable laws and regulations. Puerto Rican law doesn’t leave the answer to the question “was this a breach?” purely to the discretion of the entity holding the data — Law 111 defines it, Law 40 layers on separate obligations for government agencies and their contractors, and neither framework disappears just because an executive says that nothing happened. 

For any business — not just government agencies — the lesson is the same one from our last post: know your obligations, know your regulator, and don’t let the first time you think seriously about either be the day a reporter calls asking why a million Social Security numbers were downloadable from your website without a password.

If you want to make sure your business — or your government contracts — actually comply with Puerto Rico’s data security and breach notification laws, please book a consult with us today. We’ll help you build the decision tree, the vendor terms, and the response plan before an incident forces you to build them under pressure.

[2026-07-16]