sb455_As_introduced_LC_21_8673

sb455_As_introduced_LC_21_8673_2.html

06 LC 21 8673

Senate Bill 455

By: Senators Shafer of the 48th and Wiles of the 37th

A BILL TO BE ENTITLED
AN ACT

To amend Article 3 of Chapter 11 of Title 16 of the Official Code of Georgia Annotated, relating to invasions of privacy, so as to define certain terms; to provide that it shall be illegal for a customer proprietary network information broker to obtain or release certain customer information; to provide for penalties; to provide for exceptions; to amend Code Section 43-38-11 of the Official Code of Georgia Annotated, relating to denial, revocation, or sanction of licenses and registrations, action by the Georgia Board of Private Detective and Security Agencies, and judicial review, so as to provide that it shall be grounds for such board to deny or revoke a license if the applicant has obtained certain customer information; to amend Chapter 5 of Title 46 of the Official Code of Georgia Annotated, relating to telephone and telegraph service, so as to define certain terms; to provide that no telecommunications company may release certain customer information; to provide for rules and regulations; to provide for exceptions; to provide for action in the event of a breach of security; to provide for customer notification; to provide that any waiver of such protections is void; to provide that a violation of such provisions shall be an unfair or deceptive practice in consumer transactions; to provide for an effective date; to provide for related matters; to repeal conflicting laws; and for other purposes.

BE IT ENACTED BY THE GENERAL ASSEMBLY OF GEORGIA:

SECTION 1.

Article 3 of Chapter 11 of Title 16 of the Official Code of Georgia Annotated, relating to invasions of privacy, is amended by inserting at the end thereof a new Code section to read as follows:

∀16-11-70.

(a) As used in this Code section, the term:

(1) 'Customer proprietary network information' means information:

(A) Maintained by a telecommunications carrier that relates to the quantity, technical configuration, type, destination, and amount of use of any telecommunications service subscribed to by an end user of the telecommunications carrier and that is made available to the carrier by the end user solely by virtue of its relationship with the carrier;

(B) Contained in the end useŕs billing statement pertaining to telecommunications services received by the end user from a telecommunications carrier; and

(2) 'Customer proprietary network information broker' means any person or organization that purchases, acquires, sells, or releases the customer proprietary network information of any third party or that attempts to purchase, acquire, sell, or release the customer proprietary network information of any third party.

(3) 'End user' means any person, corporation, partnership, firm, municipality, cooperative, organization, governmental agency, building owner, or other entity provided with a telecommunications service for its own consumption and not for resale.

(4) 'Personal identifying information' means any of the following information:

(A) A persońs name;

(B) A persońs address;

(D) A persońs telephone number;

(E) A persońs driveŕs license number or Georgia identification card number;

(F) A persońs social security number;

(G) A persońs public, private, or government employer, place of employment, or employee identification number;

(H) The maiden name of a persońs mother;

(I) The number assigned to a persońs depository account, savings account, or brokerage account;

(J) The number assigned to a persońs credit or debit card;

(K) Personal identification numbers;

(L) Electronic identification numbers;

(M) Digital signals; and

(N) Any other numbers or information which can be used to access a persońs financial resources or to identify a specific individual.

(b) It is unlawful for any customer proprietary network information broker to purchase, acquire, sell, or release the customer proprietary network information or any personal identifying information of any person who is a Georgia resident or to attempt to purchase, acquire, sell, or release the customer proprietary network information or any personal identifying information of any third party who is a Georgia resident. This Code section applies whether the customer proprietary network information is obtained by the customer proprietary network information broker directly from a telecommunications carrier or from any other third party source. For purposes of this Code section, a person is a Georgia resident if the individual has a Georgia billing address or a Georgia area code.

(c) A violation of any provision of this Code section is a business offense punishable by a fine in an amount not to exceed $10,000.00 for each violation. Each item of customer proprietary network information or personal identifying information purchased, acquired, sold, or released and each attempt to purchase, acquire, sell, or release customer proprietary network information constitute a separate violation of this Code section. Any person who has been injured by a violation of this Code section may commence an action in circuit court for damages against the customer proprietary network information broker who committed the violation. If the court awards damages to the plaintiff in any action brought under this Code section, the court shall awarded the plaintiff court costs and attorneýs fees.

(d) No provision of this Code section shall be construed to prevent any action by a law enforcement agency or any officer, employee, or agent of a law enforcement agency to obtain the customer proprietary network information or personal identifying information of any third party who is a Georgia resident in connection with the performance of the official duties of the agency, officer, employee, or agent.∀

SECTION 2.

Code Section 43-38-11 of the Official Code of Georgia Annotated, relating to denial, revocation, or sanction of licenses and registrations, action by the Georgia Board of Private Detective and Security Agencies, and judicial review, is amended by striking the word "or" at the end of paragraph (14) of subsection (a), by striking the period at the end of paragraph (15) of subsection (a) and inserting in lieu thereof "; or", and by inserting immediately following paragraph (15) of subsection (a) a new paragraph to read as follows:

∀(16) Purchased, acquired, sold, or released the customer proprietary network information or personal identifying information, as such terms are defined in Code Section 46-5-210, of any third party who is a Georgia resident.∀

SECTION 3.

Chapter 5 of Title 46 of the Official Code of Georgia Annotated, relating to telephone and telegraph service, is amended by inserting at the end thereof a new article to read as follows:

∀ARTICLE 6.

46-5-210.

(a) As used in this article, the term:

(1) 'Breach of customer proprietary network information or personal identifying information' means the unauthorized acquisition of customer proprietary network information or personal identifying information that compromises the security, confidentiality, or integrity of that information as maintained by the telecommunications carrier.

(2) 'Customer proprietary network information' means information:

(B) Contained in the end useŕs billing statement pertaining to telecommunications services received by the end user from a telecommunications carrier; and

(4) 'Personal identifying information' means any of the following information:

(A) A persońs name;

(B) A persońs address;

(D) A persońs telephone number;

(E) A persońs driveŕs license number or Georgia identification card number;

(F) A persońs social security number;

(G) A persońs public, private, or government employer, place of employment, or employee identification number;

(H) The maiden name of a persońs mother;

(I) The number assigned to a persońs depository account, savings account, or brokerage account;

(J) The number assigned to a persońs credit or debit card;

(K) Personal identification numbers;

(L) Electronic identification numbers;

(M) Digital signals; and

(N) Any other numbers or information which can be used to access a persońs financial resources, or to identify a specific individual.

46-5-211.

No telecommunications carrier may release the customer proprietary network information or personal identifying information of any end user with a Georgia billing address or a Georgia area code without the express consent of the end user except with proper law enforcement or court order documentation.

46-5-212.

(a) Not later than July 1, 2007, the commission shall adopt rules to regulate the security of customer proprietary network information and personal identifying information including, but not limited to, all of the following provisions:

(1) Security standards to protect the confidentiality of data records containing customer proprietary network information and personal identifying information;

(2) Authentication procedures necessary to provide access by the end user or the end useŕs authorized representative to the end useŕs customer proprietary network information and personal identifying information; and

(3) Reporting requirements for telecommunications carriers, remedies, and other enforcement mechanisms to ensure compliance with this article.

(b) The rules provided for in subsection (a) of this Code section may allow for an implementation period of up to one year for a telecommunications carrier to implement the rules adopted by the commission in accordance with this article if the commission determines that immediate and full compliance with the rules would be unduly economically burdensome or technically unfeasible for the telecommunications carrier.

46-5-213.

No provision of this article shall be construed to prohibit a telecommunications carrier from obtaining, using, releasing, or permitting access to any customer proprietary network information or personal identifying information of any end user with a Georgia billing address or a Georgia area code:

(1) As otherwise authorized by law;

(2) With the lawful consent of the end user or the end useŕs designated representative;

(3) As necessary for the provision of services, for the protection of the rights or property of the provider, for the protection of end users, and for the protection of other telecommunications carriers from fraudulent, abusive, or unlawful use of or subscription to services;

(4) To a governmental entity, if the telecommunication carrier reasonably believes that an emergency involving the immediate danger of death or serious physical injury to any person justifies disclosure of the information; or

(5) To the National Center for Missing and Exploited Children, in connection with the report submitted thereto under Section 227 of the federal Victims of Child Abuse Act of 1990.

46-5-214.

(a) In the event of a breach of customer proprietary network information or personal identifying information concerning a Georgia resident, the telecommunications carrier must notify the Georgia resident immediately following discovery or notification of the breach. The notice must be made in the most expedient manner possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach and restore the reasonable integrity, security, and confidentiality of the customer proprietary network information or personal identifying information.

(b) If the telecommunications carrier discovers or has reason to believe that customer proprietary network information or personal identifying information concerning a Georgia resident was acquired by an unauthorized person, the telecommunications carrier must immediately notify the Georgia resident and disclose any breach or suspected breach of customer proprietary information or personal identifying information. The notice must be made in the most expedient manner possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the acquisition by an unauthorized person and to restore the reasonable integrity, security, and confidentiality of the customer proprietary network information or personal identifying information.

(1) Written notice;

(2) Electronic notice, if the notice provided is consistent with the provisions regarding electronic records and signatures for notices legally required to be in writing, as set forth in Section 7001 of Title 15 of the United States Code; or

(3) Substitute notice, if the telecommunications carrier demonstrates that the cost of providing notice would exceed $250,000.00, providing notice to the affected class of subject persons to be notified would exceed $500,000.00, or if the telecommunications carrier does not have sufficient contact information. Substitute notice shall consist of all of the following:

(A) E-mail notice if the telecommunications carrier has an e-mail address for the subject persons;

(B) Conspicuous posting of the notice on the telecommunication carrieŕs website, if the telecommunications carrier maintains one; and

(d) Notwithstanding any other provision of this Code section to the contrary, if a telecommunications carrier maintains its own notice procedures as part of a security policy for the treatment of customer proprietary network information or personal identifying information that is otherwise consistent with the timing requirements of this Code section, then that carrier shall be deemed to be in compliance with the notice requirements of this Code section if the telecommunications carrier notifies Georgia residents in accordance with its policies in the event of a breach of the security of customer proprietary network information or personal identifying information.

(e) Any waiver of the provisions of this Code section is contrary to public policy and is void and unenforceable.

(g) A violation of this Code section constitutes an unfair or deceptive practice in consumer transactions within the meaning of Part 2 of Article 15 of Chapter 1 of Title 10, the 'Fair Business Practices Act of 1975.∀

SECTION 4.

This Act shall become effective upon its approval by the Governor or upon its becoming law without such approval.

SECTION 5.

All laws and parts of laws in conflict with this Act are repealed.