PUERTO RICO: An Introduction to Intellectual Property

In today’s economy, intellectual property, and privacy are central concerns that shape the landscape of innovation and commerce. Intellectual property encompasses creations of the mind, such as inventions, literary and artistic works, and designs. It is the basis for fostering innovation, rewarding creators, and driving economic growth. However, the digital age has brought new challenges in protecting intellectual property rights, with problems such as piracy, counterfeiting, and unauthorised use proliferating on various online platforms. At the same time, privacy concerns have increased due to companies' and governments' widespread collection and use of personal data. The recent wave of growth in emerging industries in Puerto Rico and the development of new technologies have awakened a series of concerns among stakeholders about consumers’ privacy amid the constant flow of information to which individuals are exposed. In this context, this past year, there has been discussion and lobbying in Puerto Rico in favor of protecting the information collected from consumers. The Puerto Rico Legislative Branch authored two critical pieces of legislation regarding data protection and security that companies and business entities in Puerto Rico must hold dear to do business in Puerto Rico.

Cybersecurity Act 

On January 21, 2024, the Governor of Puerto Rico signed Act No. 40 of 2024, also known as the Cybersecurity Act of the Commonwealth of Puerto Rico (“Cybersecurity Act”). This act imposes significant security conditions applicable to the public sphere and private companies that work with the government and/or receive public funds. The Cybersecurity Act establishes a public policy to secure government data, a comprehensive framework to ensure cybersecurity in the Government of Puerto Rico (“Government”), and addresses access control, data protection, threat prevention, and collaboration with service providers.

The provisions of the Cybersecurity Act apply to the Executive Branch, to any natural or juridical person that does business or has contracts with the Government, private persons that perform public functions and services (only concerning the public functions and services performed), to any exercise of public or private administration in which public funds or resources have been dedicated or invested (directly or indirectly), or over which the authority of any public servant has been exercised, concerning the data generated as a product of such activities (“Concerning Parties”).

The Cybersecurity Act codifies that the Concerning Parties must:

• Establish mechanisms to stop inappropriate traffic on the Internet and a security policy to prevent access to websites with inappropriate content, such as pornographic content, malware, phishing, and other threats.

• Establish layered control mechanisms to reinforce confidentiality, integrity, and information authorisation.

• Establish policies for appropriate use of equipment and information systems, reinforced with administrative and technical controls and control mechanisms for accessing the information network.

• Encrypt confidential information. Encryption is required based on the best recommendations of the National Institute of Standards and Technology ("NIST") for the confidentiality and integrity of information. In addition, technical controls must be established to enforce these policies.

• Establish virtual private networks (“VPNs”). Remote connections to the Government can only be made through VPNs or other virtual private network software contracted exclusively for official use.

• Comply with minimum security standards and principles before developing programs or applications.

• Agencies accepting credit card payments must comply with payment card industry best practices and data security standards. If a third party provides the service, the third party must provide the agency with a PCI-DSS compliance report or best practice before the agency can contract.

• Establish multi-factor authentication ("MFA") for all users, especially after classifying data by criticality.

• Install automatic controls to detect unwanted programs that may affect information security.

Concerning Parties covered by the new Cybersecurity Act should (1) review the new Cybersecurity Act and the specific requirements that apply to its particular case; (2) conduct an internal assessment to determine the degree of current compliance with the requirements of the Cybersecurity Act and identify any existing compliance gaps, (3) create a plan to comply with the requirements of the Cybersecurity Act.

The Cybersecurity Act establishes penalties for non-compliance and empowers the Puerto Rico Innovation and Technology Service office to adopt regulations necessary to comply with the established public policy. The Cybersecurity Act became effective immediately after its approval. However, the Government will have six months to finalise all the necessary procedures to comply with the provisions of this Act.

Bill No. 1548 

Puerto Rico is moving towards more secure and strict regulations on consumer data collection. Just recently, both bodies of the Puerto Rico Legislative Branch approved the Bill of the House No. 1548 (“Bill No. 1548”), which outlines new standards for data collection, consequences for businesses that cannot protect user data, and rights of the Puerto Rican consumers. More specifically, Bill No. 1548 declares as a public policy of the government of Puerto Rico the protection of the personal data of its citizens, used in the commercial interaction between consumers and companies, businesses, or commerce, which in the exchange of goods and services require the personal data of their clients for databases, profiles, or any commercial use. Among the new standards that companies and businesses will have to adhere to are: 

• Every consumer shall be entitled to and shall be advised that the company, business, or trade with whom he/she does business by offering goods and services requires the personal information of the consumer to be used, stored, and safeguarded. The consumer should provide informed consent and be aware of the company’s use of the personal information it collects from the consumer for database storage, data repositories, prospect lists, future promotions, contests, sweepstakes, or any other commercial use. The informed consent must be unequivocal, the product of a warning in broad, explicit language, and must be found in a visible place in any document, contract, website, or electronic application.

• A consumer shall have the right to request that a company, business, or trade delete any personal information that the company has collected (a few exceptions apply).

• A company or business cannot discriminate against consumers for exercising their rights under this act. This includes denying goods and services to the consumer; charging different prices or rates for goods or services, including by refusing discounts or other promotions applicable to the general consumer as a penalty; and providing an inferior level or quality of goods or services.

• Businesses and companies shall make available to consumers two or more designated methods for submitting requests, complaints, or claims, including, at a minimum, a telephone number, e-mail, and mailing address.

• Businesses and companies shall store the consumer’s data for no more than 24 months (a few exceptions apply). 

Companies and businesses in Puerto Rico must be aware of these standards, which intend to enhance privacy rights and consumer protection and take the necessary measures to comply with them. Bill No. 1548 is pending the Puerto Rican Governor’s signature to become law. Once it is signed, it enters into force immediately. Businesses should review their data inventory, collection, and sharing practices to determine if their privacy methods comply with Bill No. 1548.