In light of the increasing cyber data breaches over the last couple of years, Georgia companies must be aware of the legal requirements that are triggered a company discovers or reasonably believes that a breach in the security of the unencrypted personal information data of any Georgia resident has occurred. O.C.G.A. § 10-1-912. Not all companies are subject to these requirements. Only those companies that are data collectors or information brokers that maintain computerized data that includes "personal information of individuals" are governed by the notification requirements. But who are data collectors or information brokers?
O.C.G.A. § 10-1-911 defines a "data collector" as "any state or local agency or subdivision thereof including any department, bureau, authority, public university or college, academy, commission, or other government entity. . . ." Any governmental agency "whose records are maintained primarily for traffic safety, law enforcement, or licensing purposes or for purposes of providing public access to court records or to real or personal property information", however, are not considered a "data collector." O.C.G.A. § 10-1-911 (2).
An "information broker" is defined as "any person or entity who, for monetary fees or dues, engages in whole or in part in the business of collecting, assembling, evaluating, compiling, reporting, transmitting, transferring, or communicating information concerning individuals for the primary purpose of furnishing personal information to nonaffiliated third parties. As with a "data collector", an "information broker" does not include governmental agencies whose records are maintained primarily for traffic safety, law enforcement, or licensing purposes. O.C.G.A. § 10-1-911 (3).
The "personal information" subject to the required data breach notification is defined as the first name or first initial last name in combination with any one or more of the following data elements, when either the name of the damage elements are not encrypted or redacted:
- Social security number;
- Driver's license number of state identification card number;
- Account number, credit card number, or debit card number, if circumstances exist wherein such a number could be used without additional identifying information, access codes, or passwords;
- Account passwords or personal identification numbers or other access codes; or
- Any of the above data elements when not in connection with the individual's first name or first initial and last name, if the information compromised would be sufficient to perform or attempt identity theft against the person whose information was compromised.
O.C.G.A. § 10-1-911(6).
A breach of such personal information occurs upon the unauthorized acquisition of an individual's electronic data that compromises the security, confidentiality, or integrity of personal information, excluding certain good faith acquisitions or uses. O.C.G.A. § 10-1-911(1). Notification of a breach is not dependent on the risk of harm to the consumer; as long as there has been a breach or a reasonable belief that a breach has occurred, notification is mandated.
The chart below summarizes the notifications required in Georgia pursuant to O.C.G.A. § § 10-1-911; 10-1-912:
Consumer Notice Requirements
Timing: Any resident of the state must be notified in the most expedient time possible and without reasonably delay, consistent with any measures necessary to determine the scope of the breach and restore the reasonable integrity, security, and confidential of the data system.
Method: Given in writing, by telephone, or electronically provided if in compliance with E-SIGN. Substitute notice may be available under certain conditions.
Substitute Notice Requirements
Substitute Notice: If the cost of providing notice would exceed $50,000.00, that the affected class to be notified exceeds 100,000, or that the entity does not have sufficient contact information to provide written or electronic notice to such individuals.
Method: Email notice, if the entity has an email address for the individuals to be notified; conspicuous posting of the notice on the entity's website page, it maintains one; and notification to major state-wide media.
Third Party Notice Requirements
An entity that maintains data on behalf of another must notify the information broker or data collector within 24 hours of discovery of the breach.
Delayed Notice Requirements
Notification can be delayed if a law enforcement agency determines that a notification will compromise a criminal investigation.
Consumer Reporting Agency Obligations
If more than 10,000 residents are notified, notice must be given "without unreasonable delay" to all nationwide consumer reporting agencies.
In addition to the statutory notification requirements, Georgia companies must also comply with any notice required under the company's cyber insurance policy. For a detailed review of the notice requirements as well as the coverages set forth in a cyber policy, please contact the firm's Cyber Law Committee.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.