Data Breach Requirements in Georgia

Story by Bill Haber / December 28, 2017

Georgia: State Laws

In the state of Georgia, any business that suffers a data breach involving personally identifiable information must notify affected Georgia residents as soon as possible through mail, telephone, or electronic means. If the security breach affects more than 100,000 people, or the cost of notification exceeds $50,000, other means of notification can be used (e.g., public service announcements). Additionally, a breach affecting more than 10,000 people needs to be reported to all credit reporting agencies. Get the full scoop on GA’s data breach laws below.

Name of Law / Statute Georgia Personal Identity Protection Act
Definition of Protected Information Combination of (1) name or other identifying info, PLUS (2) one or more of these “data” elements: SSN; driver’s license number; or account number, credit card number, debit card number if accompanied by PIN, password, or access codes.
Who Is Subject to Law? “Information brokers,” defined as “any person or entity who … engages in the business of collecting, assembling, evaluating, compiling, reporting, transmitting,” PI for non-affiliated third parties.
Notification of Consumers? Yes
By what means? Written or electronic (if consumer consented); if >10k residents, must notify consumer reporting agencies
Substitute Notice Threshold? If cost of notice >$250,000 or involves >500k residents
Notification of authorities / regulators required? No
By what means? N/A
Regulatory Fines N/A
Credit monitoring requirement? No
Private lawsuits allowed? No
Private damages cap? N/A
Regulatory actions allowed? N/A
HIPAA Compliance exemption? N/A
Other  (e.g., timeframe) Law does not apply if PI was encrypted
Link to complete law Overview: Laws:

See below for full text of Georgia’s data breach law.

Ga. Code § 10-1-910 et seq.

S.B. 230 (signed into law May 5, 2005)

Effective May 5, 2005

S.B. No. 236 (signed into law May 24, 2007)

Effective May 24, 2007

Application. Any person or entity who, for monetary fees or dues, engages in whole or in part in the business of collecting, assembling, evaluating, compiling, reporting, transmitting, transferring, or communicating information concerning individuals for the primary purpose of furnishing PI to nonaffiliated third parties, or any state or local agency or subdivision thereof including any department, bureau, authority, public university or college, academy, commission, or other government entity (collectively, Entity) that maintains computerized data that includes PI of individuals. The statute shall not apply to any governmental agency whose records are maintained primarily for traffic safety, law enforcement, or licensing purposes or for purposes of providing public access to court records or to real or personal property information.

  • The provisions governing maintenance of PI are applicable to any Entity maintaining information on GA residents, whether or not organized or licensed under the laws of GA.

Security Breach Definition. An unauthorized acquisition of an individual’s electronic data that compromises the security, confidentiality, or integrity of PI of such individual maintained by an Entity.

  • Good-faith acquisition or use of PI by an employee or agent of an Entity for the purposes of such Entity is not a breach of the security of the system, provided that the PI is not used or subject to further unauthorized disclosure.

Notification Obligation. Any Entity that maintains computerized data that includes PI of individuals shall give notice of any breach of the security of the system following discovery or notification of the breach to any resident of GA whose unencrypted PI was, or is reasonably believed to have been, acquired by an unauthorized person.

Notification to Consumer Reporting Agencies. In the event an Entity discovers circumstances requiring notification of more than 10,000 residents of GA at one time, the Entity shall also notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis of the timing, distribution, and content of the notices.

Third-Party Data Notification. If an Entity maintains computerized data on behalf of another Entity that includes PI of individuals that the Entity does not own, it shall notify the other Entity of any breach of the security of the system within 24 hours following discovery, if the PI was, or is reasonably believed to have been, acquired by an unauthorized person.

Timing of Notification. The notice shall be made in the most expedient time possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach and restore the reasonable integrity, security, and confidentiality of the data system.

Personal Information Definition. An individual’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted:

  • Social Security Number;
  • Driver license or state identification card number;
  • Account number or credit card number or debit card number if circumstances exist wherein such a number could be used without additional identifying information, access codes, or passwords;
  • Account passwords or personal identification numbers or other access codes; or
  • Any of the above items when not in connection with the individual’s first name or first initial and last name, if the information compromised would be sufficient to perform or attempt to perform identity theft against the person whose information was compromised.

PI does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.

Notice Required. Notice may be provided by one of the following methods:

  • Written notice; or
  • Electronic notice, if the notice provided is consistent with the provisions regarding electronic records and signatures set forth in 15 U.S.C. § 7001 (E-SIGN Act).

Substitute Notice Available. If an Entity demonstrates that the cost of providing notice would exceed $50,000, that the affected class of individuals to be notified exceeds 100,000, or that the Entity does not have sufficient contact information to provide written or electronic notice to such individuals. Substitute notice shall consist of all of the following:

  • Email notice, if the Entity has an email address for the individuals to be notified;
  • Conspicuous posting of the notice on the Entity’s Web site, if the Entity maintains one; and
  • Notification to major statewide media.

Exception: Own Notification Policy. Any Entity that maintains its own notification procedures as part of an information security policy for the treatment of PI and whose procedures are otherwise consistent with the timing requirements of the statute shall be deemed to be in compliance with the notification requirements of the statute if it notifies the individuals who are the subjects of the notice in accordance with its policies in the event of a breach of the security of the system.

Other Key Provisions:

  • Delay for Law Enforcement. Notice may be delayed if a law enforcement agency determines that the notice will impede a criminal investigation. Notice required by the statute must be made without unreasonable delay and as soon as possible after the law enforcement agency determines that notification will no longer impede the investigation.