The Constangy Cyber Team understands the paramount importance of staying informed about the intricacies of data breach notification regulations. With our Cybersecurity & Data Privacy Desktop Reference and these interactive maps, we provide guidance to navigate these complexities. Our interactive maps offer you online access to our succinct summaries of the essential aspects of various consumer and regulatory notification obligations. Please contact us should you have any questions. We look forward to working with you should you have to navigate the consumer notification and/or regulatory reporting process.
Data Breach Notification Statute
Covered Entities: Any person, business, information broker or data collector that maintains computerized data that includes personal information of individuals.
Consumer Notification: Any resident of this Georgia whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.
Regulatory Notification: No.
Notification Timeline: Notice shall be made in the most expedient time possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach and restore the reasonable integrity, security, and confidentiality of the data system.
Data Format: Computerized.
Citations: Ga. Code § 10-1-910 et seq.
- Breach: Unauthorized acquisition of an individual’s electronic data that compromises the security, confidentiality, or integrity of personal information of such individual.
- Personal Information (PI): An individual’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted:
- Social Security number;
- Driver’s license number or state identification number;
- Account number, credit card number, or debit card number, if circumstances exist wherein such a number could be used without additional identifying information, access codes, or password;
- Account passwords or personal identification numbers or other access codes; or
- Any of the data elements above when not in connection with the individual's first name or first initial and last name, if the information compromised would be sufficient to perform or attempt to perform identity theft against the person whose information was compromised.
- Medical Information: N/A
- Health Insurance Information: N/A
- Encryption: Statute does not apply to personal information that is encrypted or redacted.
- Good Faith: Good faith acquisition or use of personal information by an employee or agent of an information broker or data collector for the purposes of such information broker or data collector is not a breach of the security of the system, provided that the personal information is not used or subject to further unauthorized disclosure.
- Risk of Harm: Notification not dependent on risk of harm to consumer.
- Law Enforcement Delay: The notification may be delayed if a law enforcement agency determines that the notification will compromise a criminal investigation. The notification required by this Code section shall be made after the law enforcement agency determines that it will not compromise the investigation.
- Timing: The notice shall be made in the most expedient time possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach and restore the reasonable integrity, security, and confidentiality of the data system.
- Format: N/A
- Content: N/A
- Method: Notice to affected individuals must be by either: (A) Written notice; (B) Telephone notice; (C): Electronic notice, if consistent with the provisions regarding electronic records and signatures in 15 U.S. Code § 7001 (E-SIGN Act); or (D) Substitute notice (see below).
Substitute notice permitted if the information broker or data collector demonstrates (i) that the cost of providing notice would exceed $50,000, (ii) that the affected class of individuals to be notified exceeds 100,000, (iii) or that the information broker or data collector does not have sufficient contact information to provide written or electronic notice to such individuals.
Credit Reporting Agencies Notice:
If notice is required of more than 10,000 Georgia residents at one time, notice must also be given to all consumer reporting agencies that compile and maintain files on consumers on if a nation-wide basis.
Any person or business that maintains computerized data on behalf of an information broker or data collector that includes personal information of individuals that the person or business does not own shall notify the information broker or data collector of any breach of the security of the system within 24 hours following discovery, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person.