05
SB230/AP
Senate
Bill 230
By:
Senators Hamrick of the 30th, Grant of the 25th and Mullis of the
53rd
AS
PASSED
AN
ACT
To
amend Chapter 1 of Title 10 of the Official Code of Georgia Annotated, relating
to selling and other trade practices, so as to provide legislative findings; to
provide definitions; to require information brokers to give notice to consumers
of certain security breaches; to provide for related matters; to provide an
effective date; to repeal conflicting laws; and for other purposes.
BE
IT ENACTED BY THE GENERAL ASSEMBLY OF GEORGIA:
SECTION
1.
Chapter
1 of Title 10 of the Official Code of Georgia Annotated, relating to selling and
other trade practices, is amended by adding a new Article 34 to read as
follows:
"ARTICLE
34
10-1-910.
The
General Assembly finds and declares as follows:
(1)
The privacy and financial security of individuals is increasingly at risk due to
the ever more widespread collection of personal information by both the private
and public sectors;
(2)
Credit card transactions, magazine subscriptions, real estate records,
automobile registrations, consumer surveys, warranty registrations, credit
reports, and Internet websites are all sources of personal information and form
the source material for identity thieves;
(3)
Identity theft is one of the fastest growing crimes committed in this state.
Criminals who steal personal information such as social security numbers use the
information to open credit card accounts, write bad checks, buy cars, purchase
property, and commit other financial crimes with other people´s
identities;
(4)
Implementation of technology security plans and security software as part of an
information security policy may provide protection to consumers and the general
public from identity thieves;
(5)
Information brokers should clearly define the standards for authorized users of
its data so that a breach by an unauthorized user is easily
identifiable;
(6)
Identity theft is costly to the marketplace and to consumers; and
(7)
Victims of identity theft must act quickly to minimize the damage; therefore,
expeditious notification of unauthorized acquisition and possible misuse of a
person´s personal information is imperative.
10-1-911.
As
used in this article, the term:
(1)
'Breach of the security of the system' means unauthorized acquisition of an
individual´s computerized data that compromises the security,
confidentiality, or integrity of personal information of such individual
maintained by an information broker. Good faith acquisition of personal
information by an employee or agent of an information broker for the purposes of
such information broker is not a breach of the security of the system, provided
that the personal information is not used or subject to further unauthorized
disclosure.
(2)
'Information broker' means any person or entity who, for monetary fees or dues,
engages in whole or in part in the business of collecting, assembling,
evaluating, compiling, reporting, transmitting, transferring, or communicating
information concerning individuals for the primary purpose of furnishing
personal information to nonaffiliated third parties, but does not include any
governmental agency whose records are maintained primarily for traffic safety,
law enforcement, or licensing purposes.
(3)
'Notice' means:
(A)
Written notice;
(B)
Electronic notice, if the notice provided is consistent with the provisions
regarding electronic records and signatures set forth in Section 7001 of Title
15 of the United States Code; or
(C)
Substitute notice, if the information broker demonstrates that the cost of
providing notice would exceed $250,000.00, that the affected class of
individuals to be notified exceeds 500,000, or that the information broker does
not have sufficient contact information to provide written or electronic notice
to such individuals. Substitute notice shall consist of all of the
following:
(i)
E-mail notice, if the information broker has an e-mail address for the
individuals to be notified;
(ii)
Conspicuous posting of the notice on the information broker´s website page,
if the information broker maintains one; and
(iii)
Notification to major state-wide media.
Notwithstanding
any provision of this paragraph to the contrary, an information broker that
maintains its own notification procedures as part of an information security
policy for the treatment of personal information and is otherwise consistent
with the timing requirements of this article shall be deemed to be in compliance
with the notification requirements of this article if it notifies the
individuals who are the subjects of the notice in accordance with its policies
in the event of a breach of the security of the system.
(4)
'Person' means any individual, partnership, corporation, limited liability
company, trust, estate, cooperative, association, or other entity. The term
'person' as used in this article shall not be construed to require duplicative
reporting by any individual, corporation, trust, estate, cooperative,
association, or other entity involved in the same transaction.
(5)
'Personal information' means an individual´s first name or first initial
and last name in combination with any one or more of the following data
elements, when either the name or the data elements are not encrypted or
redacted:
(A)
Social security number;
(B)
Driver´s license number or state identification card number;
(C)
Account number, credit card number, or debit card number, if circumstances exist
wherein such a number could be used without additional identifying information,
access codes, or passwords;
(D)
Account passwords or personal identification numbers or other access codes;
or
(E)
Any of the items contained in subparagraphs (A) through (D) of this paragraph
when not in connection with the individual´s first name or first initial
and last name, if the information compromised would be sufficient to perform or
attempt to perform identity theft against the person whose information was
compromised.
The
term 'personal information' does not include publicly available information that
is lawfully made available to the general public from federal, state, or local
government records.
10-1-912.
(a)
Any information broker that maintains computerized data that includes personal
information of individuals shall give notice of any breach of the security of
the system following discovery or notification of the breach in the security of
the data to any resident of this state whose unencrypted personal information
was, or is reasonably believed to have been, acquired by an unauthorized person.
The notice shall be made in the most expedient time possible and without
unreasonable delay, consistent with the legitimate needs of law enforcement, as
provided in subsection (c) of this Code section, or with any measures necessary
to determine the scope of the breach and restore the reasonable integrity,
security, and confidentiality of the data system.
(b)
Any person or business that maintains computerized data on behalf of an
information broker that includes personal information of individuals that the
person or business does not own shall notify the information broker of any
breach of the security of the data immediately following discovery, if the
personal information was, or is reasonably believed to have been, acquired by an
unauthorized person.
(c)
The notification required by this Code section may be delayed if a law
enforcement agency determines that the notification will compromise a criminal
investigation. The notification required by this Code section shall be made
after the law enforcement agency determines that it will not compromise the
investigation.
(d)
In the event that an information broker discovers circumstances requiring
notification pursuant to this Code section of more than 10,000 residents of this
state at one time, the information broker shall also notify, without
unreasonable delay, all consumer reporting agencies that compile and maintain
files on consumers on a nation-wide basis, as defined by 15 U.S.C. Section
1681a, of the timing, distribution, and content of the
notices."
SECTION
2.
This
Act shall become effective upon its approval by the Governor or upon its
becoming law without such approval.
SECTION
3.
All
laws and parts of laws in conflict with this Act are repealed.