Written by: Richard Sheinis, Esq.
On January 20, 2016, the “Georgia Personal Data Security Act” was introduced in the State Senate. The current Georgia breach notification law is one of the weakest in the country. It only applies to “information brokers” and “data collectors” that maintain computerized personal information of individuals. An “information broker”, such as a credit reporting agency, is an entity that collects personal information for the purpose of furnishing this information to third parties. A “data collector” is a government agency or subdivision. Most business entities are not covered by the current law, and would not be required to notify individuals if the business experienced a data breach resulting in the disclosure of personal information.
The “Georgia Personal Data Security Act” is much broader than the current law. It would apply to any business that acquires, maintains, stores or uses personal information. Although most data breach notification laws are generally designed to protect consumers, the proposed law would apply to the personal information of the employees of a business, as well.
The new law would require businesses to notify individuals of any unauthorized acquisition of data that compromises the security, confidentiality, or integrity of the personal information of an individual that is maintained by the business. The law is one of the first to include student information, including grades, disciplinary history and standardized test scores, as personal information. This would be in addition to the types of personal information typically covered by data breach notification laws, such as credit card information, social security numbers, driver’s license numbers, and account numbers. The notification to individuals would have to include specific information about the incident itself. Even breaches involving just one individual would have to be reported to the Georgia Attorney General. The law has an encryption “safe harbor”, which means if the personal information is encrypted, notification is not required.
The proposed law would also require all businesses to “maintain reasonable safeguards to protect and secure personal information”. This part of the law is troubling because there is no guidance as to the meaning of “reasonable safeguards”. Reasonable safeguards can vary greatly from one business to another based on factors including the industry, the size of the business, and the type of personal information the business maintains. There are no references to industry standards such as Payment Card Industry Data Security Standards (“PCI DSS”), HIPAA for medical providers, National Institute of Science and Technology (“NIST”) guidance, or standards of the International Standards Organization (“ISO”). Such a vague requirement is fraught with problems as far as telling businesses what they are expected to do, and any proceedings to enforce compliance.
The Attorney General would be authorized to investigate potential violations, and impose a penalty of up to $500 for each individual who did not receive the required notice, not to exceed a total of $250,000 per breach incident. The law specifically states it does not create a private right of action for an individual to sue for a violation of this law. However, the law does not prohibit an individual from bringing suit under other laws, which might include invasion of privacy or other torts.
This law would be a major change for all businesses in Georgia. We will keep you posted as the Bill moves through the State Senate, and if it passed by the Legislature.