Puerto Rico Enacts Comprehensive Cybersecurity Law: Act 40-2024

4 min read

Puerto Rico’s Cybersecurity Act (Act 40-2024) establishes new standards for data protection and compliance. Learn how this impacts businesses and government contractors.

Introduction

On January 18, 2024, Puerto Rico enacted Act 40-2024, establishing a robust framework to enhance cybersecurity across the government and private sectors interacting with public resources. Known as the “Cybersecurity Act of the Commonwealth of Puerto Rico,” this landmark legislation introduces measures to safeguard sensitive data, fortify critical infrastructure, and promote a secure digital environment.As cyber threats increase in frequency and sophistication, Act 40-2024 sets a new standard for addressing these risks through comprehensive policies, mandatory requirements, and proactive enforcement. This article outlines the key components of the law and its implications for businesses operating in Puerto Rico.

Key Features of Act 40-2024

1. Creation of the Chief Information Security Officer (CISO) Role

The law establishes the position of Chief Information Security Officer (CISO) under the Puerto Rico Innovation and Technology Service (PRITS). The CISO will lead cybersecurity efforts, ensuring compliance with the Act and implementing measures to protect government information systems.Key Responsibilities of the CISO Include:

  • Establishing minimum security standards for data and IT systems.

  • Coordinating with government agencies to address vulnerabilities.

  • Responding to and mitigating cyberattacks in real time.

2. Zero Trust Architecture as Policy

The Act mandates a “zero trust architecture” approach, assuming that no user or system connection is trustworthy without verification. This principle underpins Puerto Rico’s cybersecurity policies, ensuring stricter access controls and monitoring.

3. Prohibition on Ransom Payments

Government entities and contractors are prohibited from making ransom payments in response to ransomware attacks. Exceptions may be evaluated on a case-by-case basis if public safety or critical infrastructure is at immediate risk.

Responsibilities for Businesses and Contractors

Act 40-2024 applies broadly to public agencies, private entities with government contracts, and businesses leveraging public resources. Organizations must:

  • Comply with minimum cybersecurity standards set by PRITS.

  • Report cybersecurity incidents to the Office for Cyber Incident Evaluation within 48 hours.

  • Implement measures such as encryption, data classification, and multi-factor authentication to protect sensitive information.

Establishment of the Office for Cyber Incident Evaluation

The Act creates the Office for Cyber Incident Evaluation, tasked with:

  1. Monitoring and responding to cybersecurity threats.

  2. Investigating incidents affecting government systems.

  3. Collaborating with federal and local agencies to resolve breaches.

  4. Developing metrics and reporting on cybersecurity trends.

This centralized approach strengthens Puerto Rico’s ability to mitigate risks while ensuring accountability.

Mandatory Training and Education

Act 40-2024 emphasizes the importance of cyber-awareness by mandating:

  • Annual cybersecurity training for government employees and contractors.

  • Public education programs to help citizens recognize and respond to cyber threats.

Penalties for Non-Compliance

Entities that fail to comply with the Act’s provisions face significant consequences, including:

  • Daily fines of up to $100 for each day of non-compliance.

  • Penalties up to $5,000 for gross negligence or deliberate misconduct.

  • Restrictions on future government contracts for violators.

Why This Law Matters

Cyberattacks pose an ever-growing threat to public safety, economic stability, and data privacy. In 2022 alone, Puerto Rico recorded over 12.4 million confirmed cyberattacks. Act 40-2024 represents a proactive step toward addressing these challenges by fostering a culture of cyber resilience.For businesses, the law underscores the importance of implementing robust cybersecurity practices. By adhering to its requirements, companies can safeguard their operations, maintain trust, and avoid costly penalties.

How MZLS Can Assist

At MZLS, we provide comprehensive legal and regulatory guidance to businesses navigating Puerto Rico’s cybersecurity landscape. Our services include:

  • Compliance Audits: Assessing your organization’s adherence to Act 40-2024 requirements.

  • Incident Response Planning: Helping you prepare for and manage potential breaches.

  • Contract Review: Ensuring your agreements meet government cybersecurity standards.

Whether you’re a government contractor, private entity, or multinational company, our law firm is here to support your legal needs including in compliance with cybersecurity requirements.

Conclusion

Act 40-2024 is a bold step forward in securing Puerto Rico’s digital infrastructure. For businesses and public entities alike, understanding and implementing its provisions will be key to maintaining operational integrity in an increasingly digital world.To learn more about how Act 40-2024 affects your business or to schedule a consultation, contact MZLS today.