Costa Rica has a notification requirement for general data breaches, with which all database owners must comply.

The Law on Individual Protection for Processing of Personal Data and Executive Decree N°37554 regulates the protection of personal data. The Executive Decree N°37554 lays down that the party responsible for the database must inform the data owner about any irregularities in the treatment and storage of data, such as loss, destruction, or any similar data breach due to any security vulnerability.

The responsible party has a determined period of time following the data breach to report such vulnerability, the holders of the personal data may take appropriate action as well; in addition, the responsible party must comply with some other requirements for this notification. Not complying with the data protection legislation may carry economic and criminal penalties.