Code of Georgia § 10-1-910
Type of Data Covered: Computerized or electronic data.
Is Breach Defined?
"Breach of the security system" is defined as "unauthorized acquisition of an individual's electronic data that compromises the security, confidentiality, or integrity of personal information of such individual maintained by an information broker or data collector."
When is notice required?
Notice is required for all Georgia residents affected by the breach "in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement...or with any measures necessary to determine the scope of the breach and restore the reasonable integrity, security, and confidentiality of the data system. If over 10,000 residents are included in the breach then consumer reporting agencies must be notified as well. Written, telephonic, electronic, and substitute notice are all acceptable depending on the circumstances.
What are the penalties for non-compliance?
There are no penalties or explicit standards of care listed in the statute. As you may expect, this creates problems for residents who would like to hold companies accountable for violations. However, in McConnell v. Department of Labor, the plaintiff's cause of action against a state agency for disclosure of private information was dismissed for failure to state a claim because the statute did not impose any standard of conduct in implementing and maintaining data security practices. See McConnell v. Department of Labor, 337 Ga. App. 457 (2016).
Georgia Data Peaches