Notification Required Upon Breach of Security Regarding Personal Information
-
Law
-
Georgia Code
-
Commerce and Trade
-
Selling and Other Trade Practices
-
Identity Theft
- Notification Required Upon Breach of Security Regarding Personal Information
- Any information broker or data collector that maintains computerized data that includes personal information of individuals shall give notice of any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of this state whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The notice shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subsection (c) of this Code section, or with any measures necessary to determine the scope of the breach and restore the reasonable integrity, security, and confidentiality of the data system.
- Any person or business that maintains computerized data on behalf of an information broker or data collector that includes personal information of individuals that the person or business does not own shall notify the information broker or data collector of any breach of the security of the system within 24 hours following discovery, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person.
- The notification required by this Code section may be delayed if a law enforcement agency determines that the notification will compromise a criminal investigation. The notification required by this Code section shall be made after the law enforcement agency determines that it will not compromise the investigation.
- In the event that an information broker or data collector discovers circumstances requiring notification pursuant to this Code section of more than 10,000 residents of this state at one time, the information broker or data collector shall also notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nation-wide basis, as defined by 15 U.S.C. Section 1681a, of the timing, distribution, and content of the notices.
(Code 1981, §10-1-912, enacted by Ga. L. 2005, p. 851, § 1/SB 230; Ga. L. 2007, p. 450, § 3/SB 236.)
Editor's notes. - Ga. L. 2007, p. 450, § 1/SB 236, not codified by the General Assembly, provides: "This Act shall be known and may be cited as the 'Georgia Personal Identity Protection Act.'"
Law reviews. - For note, "Cybersecurity on my Mind: Protecting Georgia Consumers from Data Breaches," see 51 Ga. L. Rev. 265 (2016).
JUDICIAL DECISIONS
Tort action for wrongful disclosure of private information dismissed for failure to state cause of action.
- Dismissal of the plaintif's cause of action against a state agency for disclosure of private information in violation of the Georgia Personal Identity Protection Act (GPIPA), O.C.G.A. § 10-1-910 et seq., was affirmed for failure to state a claim because the GPIPA did not impose any standard of conduct in implementing and maintaining data security practices; thus, it could not serve as the source of a statutory duty to safeguard personal information. McConnell v. Department of Labor, 337 Ga. App. 457, 787 S.E.2d 794 (2016).
Download our app to see the most-to-date content.