05 LC 21
8362S
The
Senate Science and Technology Committee offered the following substitute to SB
251:
A
BILL TO BE ENTITLED
AN ACT
AN ACT
To
amend Chapter 1 of Title 10 of the Official Code of Georgia Annotated, relating
to selling and other trade practices, so as to provide a short title; to provide
legislative findings; to provide definitions; to require certain business
entities to give notice to consumers of certain security breaches; to provide
for causes of actions and damages for unauthorized or improper access of
personal information of consumers; to provide for certain criminal penalties; to
provide for related matters; to provide an effective date; to repeal conflicting
laws; and for other purposes.
BE
IT ENACTED BY THE GENERAL ASSEMBLY OF GEORGIA:
SECTION
1.
Chapter
1 of Title 10 of the Official Code of Georgia Annotated, relating to selling and
other trade practices, is amended by adding a new Article 34 to read as
follows:
"ARTICLE
34
10-1-910.
This
article shall be known and may be cited as the 'Data Base Privacy and
Anti-identity Theft Act.'
10-1-911.
The
General Assembly finds that:
(1)
The privacy and financial security of individuals is increasingly at risk due to
the ever more widespread collection of personal information by both the public
and private sectors.
(2)
Credit card transactions, magazine subscriptions, telephone numbers, real estate
records, automobile registrations, consumer surveys, warranty registrations,
credit reports, and Internet websites are all sources of personal information
and form the source material for identity thieves.
(3)
Identity theft is one of the fastest growing crimes committed in Georgia.
Criminals who steal personal information, such as social security numbers, use
the information to open credit card accounts, write bad checks, buy cars, and
commit other financial crimes with other
peoplés
identities.
(4)
Identity theft is costly to the marketplace and to consumers.
(5)
Victims of identity theft must act quickly to minimize the damage. Therefore,
expeditious notification of possible misuse of a
persońs
personal information is imperative.
10-1-912.
As
used in this article, the term:
(1)
'Breach of the security of the system' means unauthorized acquisition of a
consumeŕs
file or computerized data that compromises the security, confidentiality, or
integrity of personal information of such consumer maintained by a business
entity and causes or is reasonably believed likely to cause loss or injury to
such consumer. Good faith acquisition of personal information by an employee or
agent of the business entity for the purposes of the business entity is not a
breach of the security of the system, provided that the personal information is
not used or subject to further unauthorized disclosure.
(2)
'Business entity' means any person or entity who, for profit, engages in a trade
or business but does not include any governmental agency whose records are
maintained primarily for traffic safety, law enforcement, or licensing
purposes.
(3)
'Consumer' means a natural individual.
(4)
'File,' when used in connection with information on any consumer, means all of
the personal information on that consumer recorded, retained, or maintained by a
business entity regardless of how the information is stored.
(5)
'Notice' means:
(A)
Written notice;
(B)
Electronic notice, if the notice provided is consistent with the provisions
regarding electronic records and signatures set forth in Section 7001 of Title
15 of the United States Code; or
(C)
Substitute notice, if the business entity demonstrates that the cost of
providing notice would exceed $250,000.00, that the affected class of persons to
be notified exceeds 500,000, or that the business entity does not have
sufficient contact information to provide written or electronic notice to such
persons. Substitute notice shall consist of all of the following:
(i)
E-mail notice when the business entity has an e-mail address for the persons to
be notified;
(ii)
Conspicuous posting of the notice on the business
entitýs
website page, if the business entity maintains one; and
(iii)
Notification to major state-wide media.
Notwithstanding
any provision of this paragraph to the contrary, a business entity that
maintains its own notification procedures as part of an information security
policy for the treatment of personal information and is otherwise consistent
with the timing requirements of this article shall be deemed to be in compliance
with the notification requirements of this article if it notifies the persons
who are the subjects of the notice in accordance with its policies in the event
of a breach of the security of the system.
(6)
'Person' means any individual, partnership, corporation, limited liability
company, trust, estate, cooperative, association, or other entity. The term
'person' as used in this article shall not be construed to require duplicative
reporting by any individual, corporation, trust, estate, cooperative,
association, or other entity involved in the same transaction.
(7)
'Personal information' means a
consumeŕs
first name or first initial and last name in combination with any one or more of
the following data elements, when either the name or the data elements are not
encrypted:
(A)
Social security number;
(B)
Driveŕs
license number of a consumer or number of a
consumeŕs
identification card issued pursuant to Article 5 of Chapter 5 of Title 40;
or
(C)
Account number or credit or debit card number, in combination with any required
security code, access code, or password that would permit access to a
consumeŕs
financial account.
The
term 'personal information' does not include publicly available information that
is lawfully made available to the general public from federal, state, or local
government records.
(8)
'Unauthorized electronic access' means the accessing of personal information on
consumers maintained by a business entity by any electronic means without the
express permission or authorization of the business entity or its authorized
agent.
(9)
'Unauthorized person' means any person who does not have authority or permission
of a business entity to access personal information on consumers maintained by
such business entity or who obtains access to such information by fraud,
misrepresentation, subterfuge, or similar deceptive practices.
10-1-913.
(a)
Any business entity that collects, assembles, maintains, or compiles files or
computerized data that include personal information of consumers shall disclose
any breach of the security of the system following discovery or notification of
the breach in the security of the data to any resident of this state whose
unencrypted personal information or file was, or is reasonably believed to have
been, acquired by an unauthorized person. The disclosure shall be made in the
most expedient time possible and without unreasonable delay, consistent with the
legitimate needs of law enforcement, as provided in subsection (c) of this Code
section, or any measures necessary to determine the scope of the breach and
restore the reasonable integrity of the data system.
(b)
Any business entity that maintains computerized data that includes personal
information that the business entity does not own shall notify the owner or
licensee of the information of any breach of the security of the data
immediately following discovery, if the personal information was, or is
reasonably believed to have been, acquired by an unauthorized
person.
(c)
The notification required by this Code section may be delayed if a law
enforcement agency determines that the notification will impede a criminal
investigation. The notification required by this Code section shall be made
after the law enforcement agency determines that it will not compromise the
investigation.
10-1-914.
A
business entity shall have a cause of action against any person that gains
access to such business
entitýs
files or computerized data containing personal information on consumers through
fraud, misrepresentation, subterfuge, or similar deceptive practices or by
unauthorized electronic access. Such business entity shall be authorized to
recover all damages incurred by such business entity as a result of such
improper access, including all costs of making the notifications required by
Code Section 10-1-911, and reasonable
attorneýs
fees.
10-1-915.
It
shall be unlawful for any person to access or attempt to access personal
information of consumers maintained by a business entity through fraud,
misrepresentation, subterfuge, or similar deceptive practices or by unauthorized
electronic access. Upon conviction, a person who violates this Code section
shall be imprisoned for not less than one nor more than ten years, pay a fine
not to exceed $100,000.00, or
both."
SECTION
2.
This
Act shall become effective upon its approval by the Governor or upon its
becoming law without such approval.
SECTION
3.
All
laws and parts of laws in conflict with this Act are repealed.