Georgia Data Breach Notification Law

Notification deadline: Most expedient time possible, without unreasonable delay

Enforcement: Georgia Attorney General, Consumer Protection Division

Overview

Georgia requires businesses to notify affected residents "in the most expedient time possible" after a breach. Information brokers have additional requirements and must notify the Georgia Consumer Protection Division.

Who Must Be Notified

• • Affected Georgia residents
• • Consumer reporting agencies (if 10,000+ residents affected)
• • Consumer Protection Division (for information brokers)

Covered Data Types

Social Security number, Driver's license number, State ID card number, Financial account number with access code, Credit/debit card number with access code

Notification Requirements

• • Written, telephonic, or electronic notice
• • Most expedient time possible without unreasonable delay
• • Substitute notice allowed if cost exceeds $50,000 or 100,000+ affected
• • Information brokers must notify Consumer Protection Division
• • Notify consumer reporting agencies if 10,000+ affected

Exemptions

• • Encrypted data (if key not compromised)
• • Good faith acquisition by employee
• • Publicly available information
• • Entities in compliance with GLBA, HIPAA

Penalties

Subject to unfair or deceptive practices provisions. AG can seek injunctions and penalties under Consumer Protection Act.