Click here to review text of state statute (see Ga. Code Ann., Title 10, Chapter 1, §912 et seq.)
Information Covered / Important Definitions
Personal information of Georgia residents.
Definition includes any data elements when not in connection with a victim’s first or last name if data element would be sufficient to allow someone to perform or attempt to perform identity theft.
“Security Breach” means an unauthorized acquisition of an individual’s electronic data that compromises the security, confidentiality, or integrity of personal information.
“Information Broker” means any person or entity who, for monetary fees or dues, engages in whole or in part in the business of collecting, assembling, evaluating, compiling, reporting, transmitting, transferring, or communicating information concerning individuals for the primary purpose of furnishing personal information to nonaffiliated third parties.
Covered Entities* / Third Party Recipients
Subject to statute:
Any information broker that maintains computerized data that includes personal information.
Third party recipients:
Any person or business that maintains computerized data on behalf of covered entity that includes personal information that the person or business does not own must notify the covered entity who owns the information of any security breach within 24 hours following discovery of the breach.
Notice Procedures & Timing / Other Obligations
Written, telephonic or electronic notice must be provided to victims of a security breach within the most expedient time possible and without unreasonable delay, unless a law enforcement agency determines that notice will impede a criminal investigation (in which case notification is delayed until authorized by law enforcement).
- Substitute notice is available by means prescribed in the statute if costs to exceed $50,000, affected class exceeds 100,000 persons, or covered entity has insufficient contact information.
Any information broker that must notify more than 10,000 persons at one time of a security breach is also required to notify without unreasonable delay consumer reporting agencies.
Encryption Safe Harbor / Other Exemptions
Encryption Safe Harbor:
Statute not applicable if the personal data that was lost, stolen, or accessed by an unauthorized individual is encrypted or redacted.
Exemption for good faith acquisition of personal information by an employee or agent of covered entity so long as personal information not used or subject to further unauthorized disclosure.
A covered entity is deemed in compliance with the Georgia statute if it maintains and complies with its own notification procedures as part of an information security policy and whose procedures are consistent with the timing requirements of the Georgia statute
Notification to Regulator / Waiver
A state agency that has been subject to a certain single breach or aggravated computer tampering to the security of its data shall submit a comprehensive report to the attorney general and the General Assembly, specifies the content of the report, requires the report to be made available to the public.
Private Cause of Action / Enforcement
Private Cause of Action: No.
* Note: Please refer to individual state statutes for a complete list of covered entities as the list of legal and commercial entities described in this chart as “subject to statute” in most cases is not exhaustive. Please also note that rules applicable to state agencies, government bodies and other public institutions are not discussed in this chart.
Click here to review text of state statute (see Ga. Code Ann., Title 10, Chapter 1, §910 et seq.)