There is a newer version of this Section
2022
2021 (you are here)
2020
2019
2018
Other previous versions
View our newest version here

2021 Georgia Code
Title 10 - Commerce and Trade
Chapter 1 - Selling and Other Trade Practices
Article 34 - Identity Theft
§ 10-1-912. Notification Required Upon Breach of Security Regarding Personal Information

Universal Citation: GA Code § 10-1-912 (2021)
Previous Next
  1. Any information broker or data collector that maintains computerized data that includes personal information of individuals shall give notice of any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of this state whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The notice shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subsection (c) of this Code section, or with any measures necessary to determine the scope of the breach and restore the reasonable integrity, security, and confidentiality of the data system.
  2. Any person or business that maintains computerized data on behalf of an information broker or data collector that includes personal information of individuals that the person or business does not own shall notify the information broker or data collector of any breach of the security of the system within 24 hours following discovery, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person.
  3. The notification required by this Code section may be delayed if a law enforcement agency determines that the notification will compromise a criminal investigation. The notification required by this Code section shall be made after the law enforcement agency determines that it will not compromise the investigation.
  4. In the event that an information broker or data collector discovers circumstances requiring notification pursuant to this Code section of more than 10,000 residents of this state at one time, the information broker or data collector shall also notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nation-wide basis, as defined by 15 U.S.C. Section 1681a, of the timing, distribution, and content of the notices.

(Code 1981, §10-1-912, enacted by Ga. L. 2005, p. 851, § 1/SB 230; Ga. L. 2007, p. 450, § 3/SB 236.)

Editor's notes.

- Ga. L. 2007, p. 450, § 1/SB 236, not codified by the General Assembly, provides: "This Act shall be known and may be cited as the 'Georgia Personal Identity Protection Act.'"

Law reviews.

- For note, "Cybersecurity on my Mind: Protecting Georgia Consumers from Data Breaches," see 51 Ga. L. Rev. 265 (2016).

JUDICIAL DECISIONS

Tort action for wrongful disclosure of private information dismissed for failure to state cause of action.

- Dismissal of the plaintif's cause of action against a state agency for disclosure of private information in violation of the Georgia Personal Identity Protection Act (GPIPA), O.C.G.A. § 10-1-910 et seq., was affirmed for failure to state a claim because the GPIPA did not impose any standard of conduct in implementing and maintaining data security practices; thus, it could not serve as the source of a statutory duty to safeguard personal information. McConnell v. Department of Labor, 337 Ga. App. 457, 787 S.E.2d 794 (2016).

Previous Next
Disclaimer: These codes may not be the most recent version. Georgia may have more current or accurate information. We make no warranties or guarantees about the accuracy, completeness, or adequacy of the information contained on this site or the information linked to on the state site. Please check official sources.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.