Mandated Timeframe for Breach Reporting and/or Consumer Notification

Without unreasonable delay
Laws related specifically to personal information
  • Breach Reporting & Consumer Notification
  • Protect Personal Information
  • Program for Protection/Security
  • Vendor Specific Obligations
  • Vendor Mandated Contracts
  • Employee Training
  • Data Disposal/Destruction
  • Risk Assessment
  • Requests for Information
Fines & Penalties

Violations of breach and notification laws:
- Not applicable

Regulation Levels
  • Breach Reporting
  • Consumer Notifications
  • Vendor Management
  • Data Protection
Level Description
  • None to minimal
  • Basic Requirements
  • Comprehensive Requirements
  • Extensive Requirements
Quick Facts
  • Vendors must report to the data owner within 24 hours following discovery of a breach. The data owner will be responsible to complete the reporting and consumer notification.
  • Breach reporting to all consumer reporting agencies that compile and maintain files on consumers on a nation-wide basis is required when consumer notification was made to more than 10,000 residents of this state at one time, without unreasonable delay.
  • There are additional laws for data protection and data disposal to prevent a breach of personal information.
  • Violations of data disposal law may be up to $500 for each customer’s record that contains personal information that is wrongfully disposed of or discarded; with a total fine up to $10,000.
  • Violations for data protection laws may be up to $250 for the first violation and up to $1,000 for a second or subsequent violation.
  • There are separate laws covering data for education and health.
  • If a breach affects residents in other states, those residents need to be notified using the laws of that state.
Statutes and Laws
  • O.C.G.A. §§ 10-1-910 – 10-1-912 Notification required upon breach of security regarding personal information 
  • O.C.G.A. § 10-1-393.8 Protection from disclosure of an individual’s social security number
  • O.C.G.A. §§ 10-15-1 – 10-15-7 Disposal of business records containing personal information; Handling of receipts for credit card transactions; Prohibited activities involving magnetic strip or stripe on payment card
  • O.C.G.A. §§ 20-2-660 – 20-2-668 Student Data Privacy, Accessibility, and Transparency Act
  • O.C.G.A. §§ 31-33-1 – 31-33-8 Health Records 
  • O.C.G.A. § 33-24-57.1 Health insurance identification card; issue required; contents; updating; social security numbers not to be displayed 
  • O.C.G.A. § 46-5-214 Action in event of telephone record security breach
BAck to map