| Type of Data Covered | Deadline for Notification | Government Notice |
|---|---|---|
| Electronic. | Without unreasonable delay. |
No. |
|
Subject Entities |
Applies to individuals, businesses, governmental entities, and other entities including non-profits that own, license, or maintain personal information. Certain entities may be exempted from particular or all provisions of the law |
|
Definition of Personal Information |
First name, or first initial, and last name in combination with and linked to any one or more of the following data elements that are neither encrypted nor redacted:
The term does not include information that is lawfully obtained from publicly available information, or from Federal, State, or local government records lawfully made available to the general public. |
|
Definition of Breach |
Unauthorized access and acquisition of unencrypted and unredacted computerized data that compromises the security or confidentiality of personal information maintained by an entity as part of a database of personal information regarding multiple individuals, or the individual or entity reasonably believes has caused or will cause identity theft or other fraud. Excludes certain good faith acquisitions. |
|
Type of Data Covered |
Electronic. |
|
Encryption Safe Harbor |
Statute does not apply to encrypted or redacted personal information. The safe harbor does not apply when the encryption key was also compromised due to breach or there is a reasonable belief that a resident will suffer identity theft or fraud. |
|
Risk of Harm Analysis |
Notification is not required if the acquisition of personal information does not cause, or the subject entity does not reasonably believe it has or will cause, identity theft or other fraud to a Guam resident. |
|
Consumer Notice Requirements |
Timing: Notice must be without unreasonable delay consistent with any measures necessary to determine the scope of the breach and restore the reasonable integrity of the system. Method: Written notice to the postal address in the subject entity’s records, telephone notice, or electronic notice. Substitute notice may be available under certain conditions. Entities maintaining an information privacy or security policy may notify in accordance with its own notification procedures if consistent with timing requirements. |
|
Substitute Notice Requirements |
If cost of providing notice will exceed $10,000 or affected class of residents to be notified exceeds 5,000 people, or if sufficient contact information or consent to provide notice are unavailable, substitute notice may be given. Substitute consists of any two of the following:
|
|
Delayed Notice Requirements |
Notification may be delayed if a law enforcement agency determines and advises that the notice will impede a criminal or civil investigation, or homeland or national security. |
|
Third Party Notice Requirements |
Must notify the owner or licensee of personal information maintained by the subject entity as soon as practicable following discovery of a breach, if the personal information was or is reasonably believed to be accessed and acquired by an unauthorized person. |
|
Potential Penalties |
A violation resulting in injury or loss may be enforced by the Attorney General who has exclusive authority to bring an action for actual damages or for a civil penalty not to exceed $150,000 per breach of the security of the system or per series of similar breaches discovered in a single investigation. |
|
Notification Requirements for Government Agencies |
Please see the statute for specific requirements and/or penalties for applicable government agencies. |
Last updated: January 2024
