Story by Bill Haber / December 28, 2017
In the state of Georgia, any business that suffers a data breach involving personally identifiable information must notify affected Georgia residents as soon as possible through mail, telephone, or electronic means. If the security breach affects more than 100,000 people, or the cost of notification exceeds $50,000, other means of notification can be used (e.g., public service announcements). Additionally, a breach affecting more than 10,000 people needs to be reported to all credit reporting agencies. Get the full scoop on GA’s data breach laws below.
| Name of Law / Statute | Georgia Personal Identity Protection Act |
| Definition of Protected Information | Combination of (1) name or other identifying info, PLUS (2) one or more of these “data” elements: SSN; driver’s license number; or account number, credit card number, debit card number if accompanied by PIN, password, or access codes. |
| Who Is Subject to Law? | “Information brokers,” defined as “any person or entity who … engages in the business of collecting, assembling, evaluating, compiling, reporting, transmitting,” PI for non-affiliated third parties. |
| Notification of Consumers? | Yes |
| By what means? | Written or electronic (if consumer consented); if >10k residents, must notify consumer reporting agencies |
| Substitute Notice Threshold? | If cost of notice >$250,000 or involves >500k residents |
| Notification of authorities / regulators required? | No |
| By what means? | N/A |
| Regulatory Fines | N/A |
| Credit monitoring requirement? | No |
| Private lawsuits allowed? | No |
| Private damages cap? | N/A |
| Regulatory actions allowed? | N/A |
| HIPAA Compliance exemption? | N/A |
| Other (e.g., timeframe) | Law does not apply if PI was encrypted |
| Link to complete law | Overview: http://www.perkinscoie.com/sc_georgia/ Laws: http://law.justia.com/codes/georgia/2006/10/10-1-910.htmlhttp://law.justia.com/codes/georgia/2006/10/10-1-911.html http://law.justia.com/codes/georgia/2006/10/10-1-912.html |
See below for full text of Georgia’s data breach law.
Ga. Code § 10-1-910 et seq.
S.B. 230 (signed into law May 5, 2005)
Effective May 5, 2005
S.B. No. 236 (signed into law May 24, 2007)
Effective May 24, 2007
Application. Any person or entity who, for monetary fees or dues, engages in whole or in part in the business of collecting, assembling, evaluating, compiling, reporting, transmitting, transferring, or communicating information concerning individuals for the primary purpose of furnishing PI to nonaffiliated third parties, or any state or local agency or subdivision thereof including any department, bureau, authority, public university or college, academy, commission, or other government entity (collectively, Entity) that maintains computerized data that includes PI of individuals. The statute shall not apply to any governmental agency whose records are maintained primarily for traffic safety, law enforcement, or licensing purposes or for purposes of providing public access to court records or to real or personal property information.
Security Breach Definition. An unauthorized acquisition of an individual’s electronic data that compromises the security, confidentiality, or integrity of PI of such individual maintained by an Entity.
Notification Obligation. Any Entity that maintains computerized data that includes PI of individuals shall give notice of any breach of the security of the system following discovery or notification of the breach to any resident of GA whose unencrypted PI was, or is reasonably believed to have been, acquired by an unauthorized person.
Notification to Consumer Reporting Agencies. In the event an Entity discovers circumstances requiring notification of more than 10,000 residents of GA at one time, the Entity shall also notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis of the timing, distribution, and content of the notices.
Third-Party Data Notification. If an Entity maintains computerized data on behalf of another Entity that includes PI of individuals that the Entity does not own, it shall notify the other Entity of any breach of the security of the system within 24 hours following discovery, if the PI was, or is reasonably believed to have been, acquired by an unauthorized person.
Timing of Notification. The notice shall be made in the most expedient time possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach and restore the reasonable integrity, security, and confidentiality of the data system.
Personal Information Definition. An individual’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted:
PI does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.
Notice Required. Notice may be provided by one of the following methods:
Substitute Notice Available. If an Entity demonstrates that the cost of providing notice would exceed $50,000, that the affected class of individuals to be notified exceeds 100,000, or that the Entity does not have sufficient contact information to provide written or electronic notice to such individuals. Substitute notice shall consist of all of the following:
Exception: Own Notification Policy. Any Entity that maintains its own notification procedures as part of an information security policy for the treatment of PI and whose procedures are otherwise consistent with the timing requirements of the statute shall be deemed to be in compliance with the notification requirements of the statute if it notifies the individuals who are the subjects of the notice in accordance with its policies in the event of a breach of the security of the system.
Other Key Provisions:
