Tag: encripción

Oriental had 10 days to Notify a Breach to Regulators. Could your business – and its vendors – do the same?

In May 2026, Evertec — a payment processor that handles data for banks across Puerto Rico — discovered that an unauthorized party accessed customer information through a third-party support platform, exposing card numbers and, in some cases, names, expiration dates, birth dates, and contact details. Oriental Bank confirmed some of its customers were affected, began notifying them through its mobile app, and started reissuing cards. Under Puerto Rico’s Data Breach Notification Act of 2005, once a breach like this is detected, the responsible parties have a non-extendable 10 days to inform DACO — Puerto Rico’s Department of Consumer Affairs — before the agency makes the matter public. Although 10 days might sound like enough time, take a few minutes to ask yourself: if a vendor you rely on got breached tomorrow, would you even find out in time to hit that deadline — and, does your business actually know who’s responsible for what, or would you be building that answer from scratch under pressure?

What Information is Covered under Puerto Rico’s Breach Notification Act?

If you or your business are Oriental Bank customers, you can go to their site to learn more about the incident and how to protect yourself.

Passed in 2005 to respond to identity theft cases, Law Number 111 of September 7, 2005, called Ley de Información al Ciudadano Sobre la Seguridad de Bancos de Información (translated literally as “Citizen Notification Act on the Security of Information Databases”) requires any entity that owns or holds a data bank (banco de información) containing personal information on Puerto Rico residents to notify those residents when the security of that system is breached. The law’s reach is broad by design: “entity” is defined to include virtually any corporation, partnership, or business operating in Puerto Rico, plus public and private educational institutions — which certainly isn’t limited to banks or financial services.

What counts as protected “personal information archive” under Law 111? 

Any record containing a name (or first initial plus surname) combined with any of the following, in a form that’s readable without a special cryptographic key — meaning a password alone doesn’t count as protection:

  • Social Security number.
  • Driver’s license, voter ID, or other official ID number.
  • Bank or financial account numbers of any kind (this is exactly what was exposed in the Evertec incident).
  • Usernames and passwords to public or private computer systems.
  • HIPAA-protected medical information.
  • Tax information.
  • Employment evaluations.

The Two-Tier Notification Chain

Law 111 sets up a structure that maps almost exactly what’s happening with Evertec and Oriental right now:

  • If your business resells or provides access to a digital data bank containing personal information on behalf of another entity, and that access is breached, you must notify the owner or custodian of that data — not the individual consumers directly.
  • If your business owns or holds the data itself, you must notify the affected residents directly once you learn (from your own systems or from a vendor) that a breach has occurred.

In the current case, Evertec — as the vendor providing the data processing — sits in the first category; Oriental Bank and other affected financial institutions, as the data owners with the direct customer relationship, sit in the second. That’s precisely the chain Law 111 anticipated: the vendor notifies the institution, the institution notifies the customer.

On the ground, this has looked like concrete remediation alongside notification: Oriental’s CEO has said the bank is proactively reissuing cards to affected customers, describing replacement as the most secure way to close out any risk, and has pointed customers to the bank’s mobile app as a direct channel to check whether their account was affected and what steps to take — including reviewing in-app notifications, using card lock/freeze controls, and monitoring transactions for anything unauthorized. 

Whatever the eventual full scope of the incident turns out to be, this is a useful real-world picture of what the response side of a Law 111 notification can look like in practice: a specific, accessible channel for customers to get answers, paired with an actual remediation step (card replacement) rather than notification alone.

The Deadlines Are Specific — and Short

  • Notification to affected residents must happen “as expeditiously as possible,” with allowance made for law enforcement’s need to secure evidence and for restoring system security.
  • Separately, and non-negotiably: the responsible parties must inform DACO (Puerto Rico’s Department of Consumer Affairs) within 10 days of detecting the breach — a deadline that Law 111 explicitly calls “non-extendable”.
  • Once DACO receives that information, it must make a public announcement within 24 hours.
  • The notice itself must be clear and conspicuous, describe the breach in general terms along with the type of sensitive information involved, and include a toll-free number or website for more information.
  • If direct notification would cost more than $100,000 or affect more than 100,000 people, the law allows substitute notice instead through a prominent posting at the business and on its website, plus notification to media outlets.

The Penalty — Up to $5,000 in fines, but Unlimited in the Courts

Under Article 10 of Law 111, DACO’s Secretary can impose fines of $500 to $5,000 per violation. However, this article also states that these fines don’t replace a consumer’s right to separately sue for damages in court. For a breach affecting thousands of cardholders like this one, the administrative fine will probalby be the least of their worries, as the aggregate exposure from private litigation is where the real financial risks will lie.

Why Should You Care about this?

  • This isn’t just a “big bank” law. Any business — for example, a medical office, a law firm, a retailer, a school — that holds a customer or client database containing names paired with social security numbers, account numbers, or login credentials is required to comply with Law 111.
  • Vendor breaches legally are your breaches. If a payment processor, cloud host, or vendor you use gets breached, Law 111’s chain means the notification obligation to your own customers may land on you, not just the vendor — so knowing which of your vendors hold this kind of data matters before an incident, not after.
  • The 10-day DACO clock is unforgiving. “Non-extendable” means exactly that. A business that doesn’t already have an incident-response plan mapping out who does what within that window is racing the clock for the first time during the worst possible moment.
  • Password protection alone doesn’t exempt you. Law 111 specifically requires something beyond a password — real encryption — before data falls outside the notification requirement. A lot of small businesses assume “password-protected” is enough. It isn’t, under this statute.

Is Your Business Prepared to Handle a Breach? Here Are a Few Things You Can Start Doing Today

  • Know exactly which of your vendors hold PR-resident personal data, and draft vendor contracts that require them to notify you immediately – ideally within 24 hours – of any breach. You will not be able to meet the 10-day DACO deadline if you’re the last to know.
  • Have a breach-notification plan ready before you need it — template notices, a designated point of contact, and a clear internal escalation path so the 10-day window isn’t spent figuring out who’s in charge.
  • Actually encrypt sensitive data, not just password-protect it — encryption is what takes a breach outside this law’s notification trigger in the first place.
  • Don’t assume “no evidence of misuse” ends the matter and avoids liability  — the notification duty is triggered by unauthorized access itself, not by proof that the data was actually misused.

The Bottom Line

The Evertec/Oriental situation is an unfortunate illustration of exactly the chain Puerto Rico lawmakers anticipated back in 2005: a vendor breach flowing through to bank notifications, DACO oversight, and public disclosure. Whatever the outcome of that specific case, the broader lesson holds for any business handling personal data of Puerto Rican residents: this law applies whether or not you’re a bank, the clock starts the moment you detect the breach, and “we didn’t know because our vendor didn’t tell us fast enough” isn’t a defense allowed by the law.

If you want to make sure your business complies with U.S. and Puerto Rico privacy and data-security laws — including having a breach-notification plan that actually meets Law 111’s deadlines — you can book an appointment with us today. We’re ready to help you map your data, your vendors, and your obligations before an incident forces you to learn them the hard way.

[2026-07-13]