Mandated Timeframe for Breach Reporting and/or Consumer Notification

Without unreasonable delay
Laws related specifically to personal information
  • Breach Reporting & Consumer Notification
  • Protect Personal Information
  • Program for Protection/Security
  • Third Party: Specific Obligations
  • Third Party: Mandated Contracts
  • Employee Training
  • Data Disposal/Destruction
  • Risk Assessment
  • Requests for Information
Fines & Penalties

Violations of breach and notification laws are not currently available. See below for other privacy-related penalties

Regulation Levels
  • Breach Reporting
  • Consumer Notifications
  • Third Party Management
  • Data Protection
  • None to minimal
  • Basic Requirements
  • Comprehensive Requirements
  • Extensive Requirements
Quick Facts
  • Vendors must report to the data owner within 24 hours following discovery of a breach. The data owner will be responsible to complete the reporting and consumer notification.
  • Breach reporting to all consumer reporting agencies that compile and maintain files on consumers on a nation-wide basis is required when consumer notification was made to more than 10,000 residents of this state at one time, without unreasonable delay.
  • There are additional laws for data protection and data disposal to prevent a breach of personal information.
  • Violations of data disposal law may be up to $500.00 for each customer’s record that contains personal information that is wrongfully disposed of or discarded; with a total fine up to $10,000.00.
  • Violations for data protection laws may be up to $250.00 for the first violation and up to $1,000.00 for a second or subsequent violation.
  • There are separate laws covering data for education and health.
  • There is a bill pending (Georgia Personal Data Security Act) with stricter requirements for consumer notification, breach reporting and penalties for violations.
  • If a breach affects residents in other states, those residents need to be notified using the laws of that state.
Statutes and Laws
  • O.C.G.A. §§ 10.1.910 – 10.1.912 Notification required upon breach of security regarding personal information (2005)
  • O.C.G.A. § 46-5-214 Action in event of telephone record security breach (2006)
  • O.C.G.A. §§ 10-15-1 – 10-15-7 Disposal of business records containing personal information; Handling of receipts for credit card transactions; Prohibited activities involving magnetic strip or stripe on payment card (2002)
  • O.C.G.A. § 10-1-393.8 Protection from disclosure of an individual’s social security number (2006)
  • O.C.G.A. § 33-24-57.1 Health insurance identification card; issue required; contents; updating; social security numbers not to be displayed (2000)
  • O.C.G.A. §§ 20-2-660 – 20-2-668 Student Data Privacy, Accessibility, and Transparency Act (2015)
  • O.C.G.A. §§ 31-33-1 – 31-33-8 Health Records (1984)
BAck to map