Georgia Notice to Consumers of Data Security Breaches
Ga. Code § 10-1-910 - § 10-1-915
SUMMARY:
EFFECTIVE. May 5, 2005
WHO DOES THIS LAW APPLY TO. Any person or business which, for compensation, collects, transmits, or maintains computerized data that includes Personal Information, excluding any governmental agency which maintains records primarily for traffic safety, law enforcement or licensing purposes.
WHAT IS A BREACH. Unauthorized acquisition of computerized data that materially compromises the security, integrity or confidentiality of Personal Information maintained by a person or business. A good faith acquisition of Personal Information by an employee or agent of the owner for internal purposes only is not a breach, if it is not used or subject to further unauthorized disclosure.
WHAT IS PERSONAL INFORMATION. An individual’s first name or first initial and last name in combination with any one or more of the following data elements, when the name or data element is not encrypted or redacted:
-
Social Security Number.
-
Driver’s license number or state identification card number.
-
Account number, credit card or debit card number if such number could be used without additional information such as access codes or passwords.
-
Account passwords, identification numbers or access codes.
-
Any of the above when not used in connection with an individual’s name, if the information compromised is sufficient to facilitate identify theft against an individual.
Personal Information does not include publicly available information, information that is lawfully available from Federal, State, or local government records.
WHO TO NOTIFY OF THE BREACH. Notification of the breach must be sent to the Georgia residents affected. If more than 10,000 Georgia residents are involved in a breach, the person or business shall also notify all consumer reporting agencies that maintain files on consumers nationwide (as defined by 15 U.S.C. § 1618a), of the timing, distribution, and content of the notices.
EXCEPTION. This Section does not apply to the following:
-
A person or business which maintains its own notice procedures as part of a Personal Information security policy and is otherwise consistent with the timing requirements of this section, is considered in compliance with this Section if the affected individuals are notified by the person or business in accordance with such policies.
WHEN TO NOTIFY OF THE BREACH. Notification must be sent when the person or business first becomes aware of an incident of unauthorized acquisition. The disclosure shall be made in the most expedient manner possible and without unreasonable delay, consistent with the needs of law enforcement, any measures necessary to determine the nature and scope of the breach, and to restore the reasonable integrity of the data system. Notification may be delayed if it will impede a criminal investigation and requested by law enforcement. In that instance, notification will be made as soon as possible following clearance by law enforcement.
HOW TO NOTIFY OF THE BREACH. Notice may be provided by one of the following methods:
-
Written.
-
Electronic (if consistent with the provisions regarding electronic records and signatures provided in Section 7001 of Title 15 of the United States Code.).
-
Substitute notice as provided below.
SUBSTITUTE NOTICE AVAILABLE. If the person or business can demonstrate that the cost of providing notice will exceed $250,000, the affected class of persons to be notified exceeds 500,000, or the person or business has insufficient contact information, substitute notice may be used. Substitute notice shall consist of all of the following:
-
Email notice if the person or business has an Email address for the individual(s) subject to notice.
-
Conspicuous posting of the notice on the website of the person or business.
-
Notification to major statewide media.
NOTICE TO THIRD-PARTIES. If a person or business maintains computerized data which includes Personal Information that it does not own, then the person or business shall notify the owner or licensee of any breach immediately following discovery. The person or business that owns or licenses the computerized data shall provide notice to the affected individual(s).
CONSEQUENCES FOR FAILING TO NOTIFY. None specified.
PRIVATE RIGHT OF ACTION. None provided in the statute.
REQUIREMENTS OF REASONABLE SECURITY MEASURES.
DATA DISPOSAL PROVISIONS. Ga. Code § 10-15-2. Disposal of business records containing personal information A business may not discard a record containing personal information unless it: (1) Shreds the customer's record before discarding the record; (2) Erases the personal information contained in the customer's record before discarding the record; (3) Modifies the customer's record to make the personal information unreadable before discarding the record; or (4) Takes actions that it reasonably believes will ensure that no unauthorized person will have access to the personal information contained in the customer's record for the period between the record's disposal and the record's destruction.
LEGISLATIVE UPDATES.
S.B. 230 – Signed into law on 5/5/2005, Effective 5/5/2005.
S.B. 236 – Signed into law on 5/24/2007, Effective 5/24/2007.
For more information, see here: http://ga.elaws.us/law/10-1%7C34
These materials were obtained directly from the State Legislative websites and are posted here for your review and reference only. No Claim to Original State Government Works. This may not be the most recent version. The State may have more current information. We make no guarantees or warranties about the accuracy or completeness of this information, or the information linked to. Please check the linked sources directly.