Georgia
Statute (link) Ga. Code § 10-1-910 et seq.
What’s a breach?
Breach of the security of the system means unauthorized acquisition of an individual’s electronic data that compromises the security, confidentiality or integrity of personal information of such individual maintained by an information broker or data collector. Good faith acquisition or use of personal information by an employee or agent of an information broker or data collector for the purposes of such information broker or data collector is not a breach of the security of the system, provided that the personal information is not used or subject to further unauthorized disclosure.
What’s considered personal information?
Personal information means an individual’s first name or first initial and last name in combination with one or more of the following data elements when either the name or the data elements are not encrypted or redacted:
- Social Security number;
- Driver’s license number or state identification card number;
- Account number, credit card number or debit card number, if circumstances exist wherein such a number could be used without additional identifying information, access codes or passwords;
- Account passwords or personal identification numbers or other access codes; or
- Any of the items previously mentioned when not in connection with the individual’s first name or first initial and last name if the information compromised would be sufficient to perform or attempt to perform identity theft against the person whose information was compromised. Personal information does not include publicly available information that is lawfully made available to the general public from federal, state or local government records.
Individual notification requirements
Any information broker or data collector that maintains computerized data including personal information of individuals must give notice of any breach of the security of the system following discovery or notification of the breach in the security of the data to any residents of this state whose unencrypted personal information was or is reasonably believed to have been acquired by an unauthorized person.
The notice must be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement or any measures necessary to determine the scope of the breach and restore the reasonable integrity, security and confidentiality of the data system.
Required notification may be delayed if a law enforcement agency determines that the notification will compromise a criminal investigation. The required notification must be made after the law enforcement agency determines that it will not compromise the investigation.
Regulator notification requirements
In the event that an information broker or data collector discovers circumstances requiring notification of more than 10,000 residents of this state at one time, the information broker or data collector must also notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined by 15 U.S.C. Section 1681a, of the timing, distribution and content of the notices.
