Mandated Timeframe for Breach Reporting and/or Consumer Notification
Without unreasonable delay
Laws related specifically to personal information
Breach Reporting & Consumer Notification
Protect Personal Information
Program for Protection/Security
Third Party: Specific Obligations
Third Party: Mandated Contracts
Requests for Information
Fines & Penalties
Violations of breach and notification laws are not currently available. See below for other privacy-related penalties
Third Party Management
None to minimal
Vendors must report to the data owner within 24 hours following discovery of a breach. The data owner will be responsible to complete the reporting and consumer notification.
Breach reporting to all consumer reporting agencies that compile and maintain files on consumers on a nation-wide basis is required when consumer notification was made to more than 10,000 residents of this state at one time, without unreasonable delay.
There are additional laws for data protection and data disposal to prevent a breach of personal information.
Violations of data disposal law may be up to $500.00 for each customer’s record that contains personal information that is wrongfully disposed of or discarded; with a total fine up to $10,000.00.
Violations for data protection laws may be up to $250.00 for the first violation and up to $1,000.00 for a second or subsequent violation.
There are separate laws covering data for education and health.
There is a bill pending (Georgia Personal Data Security Act) with stricter requirements for consumer notification, breach reporting and penalties for violations.
If a breach affects residents in other states, those residents need to be notified using the laws of that state.
Statutes and Laws
O.C.G.A. §§ 10.1.910 – 10.1.912 Notification required upon breach of security regarding personal information (2005)
O.C.G.A. § 46-5-214 Action in event of telephone record security breach (2006)
O.C.G.A. §§ 10-15-1 – 10-15-7 Disposal of business records containing personal information; Handling of receipts for credit card transactions; Prohibited activities involving magnetic strip or stripe on payment card (2002)
O.C.G.A. § 10-1-393.8 Protection from disclosure of an individual’s social security number (2006)
O.C.G.A. § 33-24-57.1 Health insurance identification card; issue required; contents; updating; social security numbers not to be displayed (2000)
O.C.G.A. §§ 20-2-660 – 20-2-668 Student Data Privacy, Accessibility, and Transparency Act (2015)
O.C.G.A. §§ 31-33-1 – 31-33-8 Health Records (1984)