Georgia Notice to Consumers of Data Security Breaches
Ga. Code § 10-1-910 - § 10-1-915
CITATION:
GEORGIA CODE (Last Updated: August 20, 2013)
Title 10. COMMERCE AND TRADE
Chapter 1. SELLING AND OTHER TRADE PRACTICES
Article 34. IDENTITY THEFT
§ 10-1-910. Legislative findings
§ 10-1-911. Definitions
§ 10-1-912. Notification required upon breach of security regarding personal information
§ 10-1-913. Definitions for this Code section and Code Section 10-1-914
§ 10-1-914. Consumer requested security freeze on credit report; timing; notifications; temporary lifting of freeze; application; fees
§ 10-1-915. Notice of right to security freeze
Section 10-1-910. Legislative findings
The General Assembly finds and declares as follows:
(1) The privacy and financial security of individuals is increasingly at risk due to the ever more widespread collection of personal information by both the private and public sectors;
(2) Credit card transactions, magazine subscriptions, real estate records, automobile registrations, consumer surveys, warranty registrations, credit reports, and Internet websites are all sources of personal information and form the source material for identity thieves;
(3) Identity theft is one of the fastest growing crimes committed in this state. Criminals who steal personal information such as social security numbers use the information to open credit card accounts, write bad checks, buy cars, purchase property, and commit other financial crimes with other people's identities;
(4) Implementation of technology security plans and security software as part of an information security policy may provide protection to consumers and the general public from identity thieves;
(5) Information brokers should clearly define the standards for authorized users of its data so that a breach by an unauthorized user is easily identifiable;
(6) Identity theft is costly to the marketplace and to consumers; and
(7) Victims of identity theft must act quickly to minimize the damage; therefore, expeditious notification of unauthorized acquisition and possible misuse of a person's personal information is imperative.
Code 1981, § 10-1-910, enacted by Ga. L. 2005, p. 851, § 1/SB 230.
Section 10-1-911. Definitions
As used in this article, the term:
(1) "Breach of the security of the system" means unauthorized acquisition of an individual's electronic data that compromises the security, confidentiality, or integrity of personal information of such individual maintained by an information broker or data collector. Good faith acquisition or use of personal information by an employee or agent of an information broker or data collector for the purposes of such information broker or data collector is not a breach of the security of the system, provided that the personal information is not used or subject to further unauthorized disclosure.
(2) "Data collector" means any state or local agency or subdivision thereof including any department, bureau, authority, public university or college, academy, commission, or other government entity; provided, however, that the term "data collector" shall not include any governmental agency whose records are maintained primarily for traffic safety, law enforcement, or licensing purposes or for purposes of providing public access to court records or to real or personal property information.
(3) "Information broker" means any person or entity who, for monetary fees or dues, engages in whole or in part in the business of collecting, assembling, evaluating, compiling, reporting, transmitting, transferring, or communicating information concerning individuals for the primary purpose of furnishing personal information to nonaffiliated third parties, but does not include any governmental agency whose records are maintained primarily for traffic safety, law enforcement, or licensing purposes.
(4) "Notice" means:
(A) Written notice;
(B) Telephone notice;
(C) Electronic notice, if the notice provided is consistent with the provisions regarding electronic records and signatures set forth in Section 7001 of Title 15 of the United States Code; or
(D) Substitute notice, if the information broker or data collector demonstrates that the cost of providing notice would exceed $50,000.00, that the affected class of individuals to be notified exceeds 100,000, or that the information broker or data collector does not have sufficient contact information to provide written or electronic notice to such individuals. Substitute notice shall consist of all of the following:
(i) E-mail notice, if the information broker or data collector has an e-mail address for the individuals to be notified;
(ii) Conspicuous posting of the notice on the information broker's or data collector's website page, if the information broker or data collector maintains one; and
(iii) Notification to major state-wide media.
Notwithstanding any provision of this paragraph to the contrary, an information broker or data collector that maintains its own notification procedures as part of an information security policy for the treatment of personal information and is otherwise consistent with the timing requirements of this article shall be deemed to be in compliance with the notification requirements of this article if it notifies the individuals who are the subjects of the notice in accordance with its policies in the event of a breach of the security of the system.
(5) "Person" means any individual, partnership, corporation, limited liability company, trust, estate, cooperative, association, or other entity. The term "person" as used in this article shall not be construed to require duplicative reporting by any individual, corporation, trust, estate, cooperative, association, or other entity involved in the same transaction.
(6) "Personal information" means an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted:
(A) Social security number;
(B) Driver's license number or state identification card number;
(C) Account number, credit card number, or debit card number, if circumstances exist wherein such a number could be used without additional identifying information, access codes, or passwords;
(D) Account passwords or personal identification numbers or other access codes; or
(E) Any of the items contained in subparagraphs (A) through (D) of this paragraph when not in connection with the individual's first name or first initial and last name, if the information compromised would be sufficient to perform or attempt to perform identity theft against the person whose information was compromised.
The term "personal information" does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.
Code 1981, § 10-1-911, enacted by Ga. L. 2005, p. 851, § 1/SB 230; Ga. L. 2007, p. 450, § 2/SB 236.
Section 10-1-912. Notification required upon breach of security regarding personal information
(a) Any information broker or data collector that maintains computerized data that includes personal information of individuals shall give notice of any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of this state whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The notice shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subsection (c) of this Code section, or with any measures necessary to determine the scope of the breach and restore the reasonable integrity, security, and confidentiality of the data system.
(b) Any person or business that maintains computerized data on behalf of an information broker or data collector that includes personal information of individuals that the person or business does not own shall notify the information broker or data collector of any breach of the security of the system within 24 hours following discovery, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person.
(c) The notification required by this Code section may be delayed if a law enforcement agency determines that the notification will compromise a criminal investigation. The notification required by this Code section shall be made after the law enforcement agency determines that it will not compromise the investigation.
(d) In the event that an information broker or data collector discovers circumstances requiring notification pursuant to this Code section of more than 10,000 residents of this state at one time, the information broker or data collector shall also notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nation-wide basis, as defined by 15 U.S.C. Section 1681a, of the timing, distribution, and content of the notices.
Code 1981, § 10-1-912, enacted by Ga. L. 2005, p. 851, § 1/SB 230; Ga. L. 2007, p. 450, § 3/SB 236.
Section 10-1-913. Definitions for this Code section and Code Section 10-1-914
As used in this Code section and in Code Section 10-1-914, the term:
(1) "Consumer" means a natural person residing in this state.
(2) "Consumer credit report" means a "consumer report" as defined in 15 U.S.C. Section 1681a(d) that a consumer reporting agency furnishes to a person which it has reason to believe intends to use the information as a factor in establishing the consumer's eligibility for credit to be used primarily for personal, family, or household purposes.
(3) "Consumer credit reporting agency" means any person who, for monetary fees, dues, or on a cooperative nonprofit basis, regularly engages in whole or in part in the practice of assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consumer credit reports to third parties.
(4) "Normal business hours" means any day, between the hours of 8:00 A.M. and 9:30 P.M., Eastern Standard Time.
(5) "Person" means any individual, partnership, corporation, trust, estate, cooperative, association, government, or governmental subdivision or agency, or other entity.
(6) "Proper identification" means information generally deemed sufficient to identify a person for consumer reporting agency purposes under 15 U.S.C. Section 1681 et seq.
(7) "Security freeze" means a restriction placed on a consumer credit report at the request of the consumer that prohibits a consumer credit reporting agency from releasing all or any part of the consumer's consumer credit report or any information derived from the consumer's consumer credit report for a purpose relating to the extension of credit without the express authorization of the consumer.
Code 1981, § 10-1-913, enacted by Ga. L. 2008, p. 594, § 1/HB 130.
Section 10-1-914. Consumer requested security freeze on credit report; timing; notifications; temporary lifting of freeze; application; fees
(a) A consumer may place a security freeze on the consumer's credit report by making a request in writing by certified mail to a consumer credit reporting agency. No later than August 1, 2008, a consumer credit reporting agency shall make available to consumers an Internet based method of requesting a security freeze and a toll-free telephone number for consumers to use to place a security freeze, temporarily lift a security freeze, or completely remove a security freeze. A security freeze shall prohibit, subject to exceptions in subsection (m) of this Code section, the consumer credit reporting agency from releasing the consumer's credit report or credit score without the prior express authorization of the consumer as provided in subsection (d) or (e) of this Code section. Nothing in this subsection prevents a consumer credit reporting agency from advising a third party that a security freeze is in effect with respect to the consumer's credit report.
(b) A consumer credit reporting agency shall place a security freeze on a consumer's credit report no later than three business days after receiving the consumer's written request sent by certified mail.
(c) The consumer credit reporting agency shall send a written confirmation of the security freeze to the consumer within ten business days of placing the security freeze and at the same time shall provide the consumer with a unique personal identification number or password, other than the consumer's social security number, to be used by the consumer when providing authorization for the release of the consumer's credit report for a specific period of time.
(d) If the consumer wishes to allow the consumer's credit report to be accessed for a specific period of time while a security freeze is in place, the consumer shall contact the consumer credit reporting agency through the contact method established by the consumer credit reporting agency, request that the security freeze be temporarily lifted, and provide all of the following:
(1) Proper identification;
(2) The unique personal identification number or password provided by the consumer credit reporting agency pursuant to subsection (c) of this Code section;
(3) The proper information regarding the time period for which the report shall be available to users of the consumer credit report; and
(4) The proper payment as may be required by the consumer credit reporting agency.
(e) A consumer credit reporting agency shall develop procedures involving the use of telephone, facsimile, the Internet, or other electronic media to receive and process a request from a consumer to temporarily lift a security freeze on a consumer credit report pursuant to subsection (d) of this Code section.
(f) A consumer credit reporting agency that receives a request from a consumer to temporarily lift a security freeze on a consumer credit report pursuant to subsection (d) or (e) of this Code section shall comply with the request:
(1) No later than three business days after receiving a written request; or
(2) Within 15 minutes after the request and payment are received by telephone or electronically by the contact method chosen by the consumer reporting agency during normal business hours and the request includes the consumer's proper identification, correct personal identification number or password, and the proper payment as may be required by the consumer credit reporting agency.
(g) A consumer reporting agency need not remove a security freeze within 15 minutes, as specified in paragraph (2) of subsection (f) of this Code section, if:
(1) The consumer fails to satisfy the requirements of subsection (d) of this Code section; or
(2) The consumer credit reporting agency's ability to remove the security freeze within 15 minutes is prevented by:
(A) An act of God, including fire, earthquakes, hurricanes, storms, or similar natural disaster or phenomenon;
(B) Unauthorized or illegal acts by a third party, including terrorism, sabotage, riot, vandalism, labor strikes or disputes disrupting operations, or similar occurrence;
(C) Operational interruption, including electrical failure, unanticipated delay in equipment or replacement part delivery, computer hardware or software failures inhibiting response time, or similar disruption;
(D) Governmental action, including emergency orders or regulations, judicial or law enforcement action, or similar directives;
(E) Regularly scheduled maintenance or updates, during other than normal business hours, to the consumer reporting agency's systems;
(F) Commercially reasonable maintenance of, or repair to, the consumer reporting agency's systems that is unexpected or unscheduled; or
(G) Receipt of a removal request outside of normal business hours.
(h) A consumer credit reporting agency shall only remove or temporarily lift a security freeze placed on a consumer's credit report:
(1) Upon the consumer's request, in compliance with the requirements of this Code section; or
(2) If the consumer's credit report was frozen due to a material misrepresentation of fact by the consumer. If a consumer credit reporting agency intends to remove a security freeze upon a consumer's credit report pursuant to this paragraph, the consumer credit reporting agency shall notify the consumer in writing prior to removing the security freeze on the consumer's credit report.
(i) If a third party requests access to a consumer credit report on which a security freeze is in effect and this request is in connection with an application for credit or any other use related to the extension of credit and the consumer does not allow the consumer's credit report to be accessed for that specific period of time, the third party may treat the application as incomplete.
(j) If a consumer requests a security freeze pursuant to this Code section, the consumer credit reporting agency shall disclose to the consumer the process of placing and temporarily lifting a security freeze and the process for allowing access to information from the consumer's credit report for a specific period of time while the security freeze is in place.
(k) A security freeze shall remain in place until the consumer requests that the security freeze be removed. A consumer credit reporting agency shall remove a security freeze within three business days of receiving a request for removal from the consumer. The consumer shall provide all of the following:
(1) Proper identification;
(2) The unique personal identification number or password provided by the consumer credit reporting agency pursuant to subsection (c) of this Code section; and
(3) The proper fee as may be required by the consumer credit reporting agency.
(l) A consumer credit reporting agency shall require proper identification of the person making a request to place, temporarily lift, or remove a security freeze.
(m) By way of example only, and not intending to be exclusive, the provisions of this Code section shall not apply to the use of a consumer credit report by any of the following:
(1) A person, or the person's subsidiary, affiliate, agent, subcontractor, or assignee with whom the consumer has, or prior to assignment had, an account, contract, or debtor-creditor relationship for the purposes of reviewing the active account or collecting the financial obligation owing for the account, contract, or debt;
(2) A subsidiary, affiliate, agent, assignee, or prospective assignee of a person to whom access has been granted under subsection (d) of this Code section for purposes of facilitating the extension of credit or other permissible use;
(3) Any person acting pursuant to a court order, warrant, or subpoena;
(4) A state or local agency, or its agents or assigns, which administers a program for establishing and enforcing child support obligations;
(5) A state or local agency, or its agents or assigns, acting to investigate fraud, including Medicaid fraud; acting to investigate or collect delinquent taxes or assessments, including interest, penalties, and unpaid court orders; or acting to fulfill any of its other statutory responsibilities;
(6) A federal, state, or local governmental entity, including a law enforcement agency, court, or its agents or assigns;
(7) Any person for the use of a credit report for purposes permitted under 15 U.S.C. Section 1681b(c);
(8) Any person for the sole purpose of providing a credit file monitoring subscription service to which the consumer has subscribed;
(9) Any person for the purpose of providing a consumer with a copy of the consumer's credit report or credit score upon the consumer's request;
(10) Any depository financial institution for checking, savings, and investment accounts; or
(11) Any person or entity for insurance purposes, including use in setting or adjusting a rate, adjusting a claim, or underwriting.
(n) If a security freeze is in place, a consumer credit reporting agency shall not change any of the following official information in a credit report without sending a written confirmation of the change to the consumer within 30 days of the change being posted to the consumer's file: name, date of birth, social security number, and address. Written confirmation is not required for technical modifications of a consumer's official information, including name and street abbreviations, complete spellings, or transposition of numbers or letters. In the case of an address change, the written confirmation shall be sent to both the new address and the former address.
(o) The following persons shall not be required to place a security freeze in a consumer credit report pursuant to this Code section; provided, however, that any person that shall not be required to place a security freeze on a consumer credit report under the provisions of paragraph (3) of this subsection shall be subject to any security freeze placed on a consumer credit report by another consumer credit reporting agency from which it obtains information:
(1) A check services or fraud prevention services company, including reports on incidents of fraud, or authorizations for the purpose of approving or processing negotiable instruments, electronic funds transfers, or similar methods of payment;
(2) A deposit account information service company, which issues reports regarding account closures due to fraud, substantial overdrafts, automated teller machine abuse, or other similar negative information regarding a consumer to inquiring banks or other financial institutions for use only in reviewing a consumer request for a deposit account at the inquiring bank or financial institution;
(3) Resellers of consumer credit report information that assemble and merge information contained in a data base of one or more consumer credit reporting agencies and do not maintain a permanent data base of consumer credit information from which new consumer credit reports are produced; or
(4) A consumer credit reporting agency's data base or file which consists of information concerning, and used for, one or more of the following: criminal record information, fraud prevention or detection, personal claim loss history information, and employment, tenant, or individual background screening.
(p) This Code section shall not prevent a consumer credit reporting agency from charging a fee of no more than $3.00 to a consumer for each security freeze placement, any permanent removal of the security freeze, or any temporary lifting of the security freeze for a period of time. A consumer credit reporting agency shall not charge a person age 65 or over for the placement of a security freeze. A consumer credit reporting agency shall not charge any fee to a victim of identity theft who has submitted a copy of a valid investigative or incident report or complaint with a law enforcement agency about the unlawful use of the victim's identifying information by another person that was filed with the law enforcement agency no more than 90 days prior to the consumer's request for a security freeze. A consumer credit reporting agency may charge a fee of no more than $5.00 to a consumer for each replacement of a unique personal identification number or password.
(q) A person that violates this Code section may be investigated and prosecuted under the provisions of the Fair Business Practices Act, Code Section 10-1-390, et seq., and may be fined not more than $100.00 for a violation concerning a specific consumer.
Code 1981, § 10-1-914, enacted by Ga. L. 2008, p. 594, § 1/HB 130.
Section 10-1-915. Notice of right to security freeze
At any time that a consumer is required to receive a summary of rights required by 15 U.S.C. Section 1681g(d) of the federal Fair Credit Reporting Act, the consumer shall also be provided with the following notice:
"Georgia Consumers Have the Right to Obtain a Security Freeze.
You have a right to place a 'security freeze' on your credit report, which will prohibit a consumer reporting agency from releasing information in your credit report without your express authorization. A security freeze must be requested in writing by certified mail or by electronic means as provided by a consumer reporting agency. The security freeze is designed to prevent credit, loans, and services from being approved in your name without your consent. If you are actively seeking a new credit, loan, utility, telephone, or insurance account, you should understand that the procedures involved in lifting a security freeze may slow your applications for credit. You should plan ahead and lift a freeze in advance of actually applying for new credit. When you place a security freeze on your credit report, you will be provided a personal identification number or password to use if you choose to remove the freeze on your credit report or authorize the release of your credit report for a period of time after the freeze is in place.
To provide that authorization you must contact the consumer reporting agency and provide all of the following:
(1) The personal identification number or password.
(2) Proper identification to verify your identity.
(3) The proper information regarding the period of time for which the report shall be available.
A consumer reporting agency must authorize the release of your credit report no later than fifteen (15) minutes after receiving the above information if the request is by electronic means or by telephone, or no later than three business days when a written request is submitted.
A security freeze does not apply to a person or entity, or its affiliates, or collection agencies acting on behalf of the person or entity, with which you have an existing account, that requests information in your credit report for the purposes of reviewing or collecting the account. Reviewing the account includes activities related to account maintenance. You have a right to bring civil action against anyone, including a consumer reporting agency, who improperly obtains access to a file, knowingly or willfully misuses file data, or fails to correct inaccurate file data. Unless you are a victim of identity theft with a police report or other official document acceptable to a consumer reporting agency to verify the crimes, or you are 65 or older, a consumer reporting agency has the right to charge you a fee of no more than $3.00 to place a freeze on your credit report."
Code 1981, § 10-1-915, enacted by Ga. L. 2008, p. 594, § 1/HB 130.
Notice to Consumers of Data Security Breaches (Georgia Code Annotated Title 10, Chapter 1, Article 34, Sec. 10-1-910 through 10-1-912, added by Laws of 2005, Act163, approved and effective May 5, 2005.)
For more information, see here: http://ga.elaws.us/law/10-1%7C34
These materials were obtained directly from the State Legislative websites and are posted here for your review and reference only. No Claim to Original State Government Works. This may not be the most recent version. The State may have more current information. We make no guarantees or warranties about the accuracy or completeness of this information, or the information linked to. Please check the linked sources directly.