Security Breach Legislation in the State of Georgia

Security Breach Legislation in the State of Georgia
March 01, 2022 | 4 minutes read

Ga. Code §§ 10-1-910, -911, -912; § 46-5-214 is a data breach notification law that was passed in the U.S. state of Georgia in 2005 and later amended in 2007. Ga. Code §§ 10-1-910, -911, -912; § 46-5-214 sets forth the legal framework that business entities within the state of Georgia are mandated to follow should a data breach take place. Furthermore, the law also establishes the categories of personal information that are legally protected from disclosure in regard to data breaches. With this being said, Ga. Code §§ 10-1-910, -911, -912; § 46-5-214 represents the foremost means by which residents of the state of Georgia can protect themselves from the adverse effects of a data breach.

What is the scope and application of Ga. Code §§ 10-1-910, -911, -912; § 46-5-214?

In terms of the scope and application of the law, the provisions established in Ga. Code §§ 10-1-910, -911, -912; § 46-5-214 are applicable to “any person or entity who, for monetary fees or dues, engages in whole or in part in the business of collecting, assembling, evaluating, compiling, reporting, transmitting, transferring, or communicating information concerning individuals for the primary purpose of furnishing PI to nonaffiliated third parties, or any state or local agency or subdivision thereof including any department, bureau, authority, public university or college, academy, commission, or other government entity (collectively, Entity) that maintains computerized data that includes PI of individuals.”

What are the data breach notification requirements under Ga. Code §§ 10-1-910, -911, -912; § 46-5-214?

Under Ga. Code §§ 10-1-910, -911, -912; § 46-5-214, a business entity within the state of Georgia is required to provide notification to all affected parties in instances where a data breach occurs. These notifications may be provided to said parties in written or electronic form, permitting the electronic form “is consistent with the provisions regarding electronic records and signatures set forth in 15 U.S.C. § 7001 (E-SIGN Act).” Additionally, business entities are also responsible for providing notification to the three major credit reporting agencies within the U.S., should a data breach occur that affects more than 10,000 residents within Georgia. To this point, third parties that collect and process personal information on behalf of business entities within Georgia must also adhere to the provisions laid out in the law.

What categories of personal information are legally covered under Ga. Code §§ 10-1-910, -911, -912; § 46-5-214?

Under Ga. Code §§ 10-1-910, -911, -912; § 46-5-214, the following types of personal information are legally covered in the event of a data breach, in connection with a Georgia resident’s first name or first initial and last name, in instances where these data elements have been neither encrypted nor redacted:

  • Social security numbers.
  • Driver’s license numbers and state identification card numbers.
  • Account numbers, and credit and debit card numbers, “if circumstances exist wherein such a number could be used without additional identifying information, access codes, or passwords.”
  • Account passwords, access codes, and personal identification numbers.
  • Any of the types of information listed above, when not in connection with a Georgia resident’s first name or first initial and last name, if the information that was compromised “would be sufficient to perform or attempt to perform identity theft against the person whose information was compromised.”

What are the penalties for violating Ga. Code §§ 10-1-910, -911, -912; § 46-5-214?

In terms of the enforcement of Ga. Code §§ 10-1-910, -911, -912; § 46-5-214, the Georgia attorney general has the authority to impose numerous penalties against individuals and entities that are found to be in violation of the law. Such punishments include civil penalties of up to $100 for each offense against a particular consumer. What’s more, violations of Ga. Code §§ 10-1-910, -911, -912; § 46-5-214 are also considered to be violations of Georgia’s Fair
Business Practices Act. To this point, business entities that violate the provisions of Ga. Code §§ 10-1-910, -911, -912; § 46-5-214 are also subject to additional penalties under Georgia’s Fair Business Practices Act.

The provisions established in Ga. Code §§ 10-1-910, -911, -912; § 46-5-214 stand as the primary means by which residents of the state can mitigate adverse consequences of being involved in a data breach. When compared to many other data breach laws around the country, the types of personal information that is legally protected in the event of a data breach are particularly broad, ensuring that residents of Georgia can protect themselves as much as possible when such events occur. As such, said residents can rest assured that their data and privacy are being protected at all times.