Georgia Information Security Breach Law
Breach notification laws in Georgia are covered under the Georgia Personal Identity Protection act, Ga. Code § 10-1-910 et seq. This includes S.B. 230, and 236. S.B. 230 was signed into law on May 5, 2005, and became effective May 5, 2005. S.B. 236 was signed into law on May 24, 2007, and became effective May 24, 2007.
The “entity” covered under the Georgia breach notification law is rather extensive. It includes individuals who in whole or in part assemble, collect, compile, evaluate,
transmit, transfer, report, or communicate PI of individuals for either monetary fees or dues. Entities who do this for non-affiliated third parties, or for any legal agency be it state, local, or federal, are included. This covers bureaus, public educational institutions, and legal institutions. The statute doesn’t affect government agencies maintaining records primarily as a means of keeping traffic safety. The same is true of law enforcement, or licensing for public access court records to property information either real or personal. The legal definition of “entity” in Georgia applies to non-local parties who manage PI of state residents.
A security breach is when PI is accessed without authorization. Good faith data utility isn’t a breach, unless the data is misused, or made subject to any subsequent disclosure of an unauthorized kind.
Time Frames for Breach Reporting
An entity is obligated to provide breach notification in Georgia after a breach is discovered, and to whoever’s information was accessed by unauthorized parties. Consumer reporting agencies must be notified should 10,000 or more residents in Georgia be compromised at once. This must additionally be done without unreasonable delay. Should an entity keep computerized data for a third party, they must be notified within 24 hours of breach discovery–provided PI was, or is reasonably expected to have been, acquired by an unauthorized person(s).
Notification must be made as quick as possible and without delay. Determining the scope of a breach, and re-establishing a data system’s operational integrity, are determined to be reasonable delays. Means by which affected parties can be notified include either written notice or electronic notice conforming to the E-SIGN Act (15 U.S.C. § 7001). Substitute notification methods become available should more than $50,000 be required to notify affected individuals, should more than 100,000 parties be affected, or if there isn’t available contact information.
Private lawsuits are not allowed for PI compromise in Georgia. If PI was encrypted, associated notification laws do not apply.
Breach notification exceptions for Georgia include delays for law enforcement should such an agency determine that notifying affected parties would impede an investigation. As soon as law enforcement allows notification, it must be made. Additionally, if an entity keeps notification procedures in consistence with timing and notification requirements of existing Georgia statutes, this is permissible–provided notification of affected parties according to such procedures is followed.
Contact Security Compliance Associates Today to Learn More about Information Security Breach Law in Georgia
Security Compliance Associates (SCA) has years of experience helping organizations across the United States to prevent and manage potential data breaches. Contact us today at 727-571-1141 to schedule a no-cost consultation. You can also download our free Data Breach Response Guide to learn more about breach notification law in your state.