05 LC 9 1659
House
Bill 638
By:
Representatives Buckner of the
76th,
Reece of the
11th,
Smith of the
168th,
Powell of the
29th,
Jacobs of the
80th,
and others
A
BILL TO BE ENTITLED
AN ACT
AN ACT
To
amend Chapter 1 of Title 10 of the Official Code of Georgia Annotated, relating
to selling and other trade practices, so as to provide definitions; to require
investigative consumer reporting agencies to give notice to consumers of certain
security breaches; to provide for a standard of care to be exercised by
investigative consumer reporting agencies; to provide for rules, regulations,
and guidelines; to provide for related matters; to provide an effective date; to
repeal conflicting laws; and for other purposes.
BE
IT ENACTED BY THE GENERAL ASSEMBLY OF GEORGIA:
SECTION
1.
Chapter
1 of Title 10 of the Official Code of Georgia Annotated, relating to selling and
other trade practices, is amended by adding a new Article 34 to read as
follows:
"ARTICLE
34
10-1-910.
As
used in this article, the term:
(1)
'Agency' or 'investigative consumer reporting agency' means any person or entity
who, for monetary fees or dues, engages in whole or in part in the practice of
collecting, assembling, evaluating, compiling, reporting, transmitting,
transferring, or communicating information concerning consumers for the purposes
of furnishing investigative consumer reports to third parties, but does not
include any governmental agency whose records are maintained primarily for
traffic safety, law enforcement, or licensing purposes, or any licensed
insurance agent or insurance broker.
(2)
'Breach of the security of the system' means unauthorized acquisition of a
consumeŕs
file or computerized data that compromises the security, confidentiality, or
integrity of personal information of such consumer maintained by the agency.
Good faith acquisition of personal information by an employee or agent of the
agency for the purposes of the agency is not a breach of the security of the
system, provided that the personal information is not used or subject to further
unauthorized disclosure.
(3)
'Consumer' means a natural individual who has made application to a person for
employment purposes; for insurance for personal, family, or household purposes;
for the rental or purchase of a dwelling; or for other such
purposes.
(4)
'File,' when used in connection with information on any consumer, means all of
the information on that consumer recorded and retained by an investigative
consumer reporting agency regardless of how the information is
stored.
(5)
'Notice' means:
(A)
Written notice;
(B)
Electronic notice, if the notice provided is consistent with the provisions
regarding electronic records and signatures set forth in Section 7001 of Title
15 of the United States Code; or
(C)
Substitute notice, if the agency demonstrates that the cost of providing notice
would exceed $250,000.00, or that the affected class of persons to be notified
exceeds 500,000, or the agency does not have sufficient contact information to
provide written or electronic notice to such persons. Substitute notice shall
consist of all of the following:
(i)
E-mail notice when the agency has an e-mail address for the persons to be
notified;
(ii)
Conspicuous posting of the notice on the
agencýs
website page, if the agency maintains one; and
(iii)
Notification to major state-wide media.
Notwithstanding
any provision of this paragraph to the contrary, an agency that maintains its
own notification procedures as part of an information security policy for the
treatment of personal information and is otherwise consistent with the timing
requirements of this article shall be deemed to be in compliance with the
notification requirements of this article if it notifies the persons who are the
subjects of the notice in accordance with its policies in the event of a breach
of security of the system.
(6)
'Person' means any individual, partnership, corporation, limited liability
company, trust, estate, cooperative, association, or other entity. The term
'person' as used in this article shall not be construed to require duplicative
reporting by any individual, corporation, trust, estate, cooperative,
association, or other entity involved in the same transaction.
(7)
'Personal information' means an
individuaĺs
first name or first initial and last name in combination with any one or more of
the following data elements, when either the name or the data elements are not
encrypted:
(A)
Social security number;
(B)
Driveŕs
license number of an individual or number of an
individuaĺs
identification card issued pursuant to Article 5 of Chapter 5 of Title 40;
or
(C)
Account number, credit card number, or debit card number, in combination with
any required security code, access code, or password that would permit access to
an
individuaĺs
financial account.
The
term 'personal information' does not include publicly available information that
is lawfully made available to the general public from federal, state, or local
government records.
10-1-911.
(a)
Any agency that owns or licenses computerized data that includes personal
information shall disclose any breach of the security of the system following
discovery or notification of the breach in the security of the data to any
resident of this state whose unencrypted personal information or file was, or is
reasonably believed to have been, acquired by an unauthorized person. The
disclosure shall be made in the most expedient time possible and without
unreasonable delay, consistent with the legitimate needs of law enforcement, as
provided in subsection (c), or any measures necessary to determine the scope of
the breach and restore the reasonable integrity of the data system.
(b)
Any agency that maintains computerized data that includes personal information
that the agency does not own shall notify the owner or licensee of the
information of any breach of the security of the data immediately following
discovery, if the personal information was, or is reasonably believed to have
been, acquired by an unauthorized person.
(c)
The notification required by this Code section may be delayed if a law
enforcement agency determines that the notification will impede a criminal
investigation. The notification required by this Code section shall be made
after the law enforcement agency determines that it will not compromise the
investigation.
10-1-912.
It
shall be the duty of each investigative consumer reporting agency to exercise
due diligence in establishing the identity, credibility, and legitimacy of each
person to whom the agency provides personal information and the right of such
person to receive such personal information.
10-1-913.
It
shall be the duty of the Secretary of State to adopt rules and regulations
establishing guidelines which shall be followed by each investigative consumer
reporting agency in establishing the identity, credibility, and legitimacy of
any person who buys or otherwise accesses any personal information maintained by
an investigative consumer reporting
agency."
SECTION
2.
This
Act shall become effective upon its approval by the Governor or upon its
becoming law without such approval.
SECTION
3.
All
laws and parts of laws in conflict with this Act are repealed.