sb455_SB_455_HCSFA

sb455_SB_455_HCSFA_10.html

06 SB 455/HCSFA

HOUSE SUBSTITUTE TO SENATE BILL 455

A BILL TO BE ENTITLED
AN ACT

To amend Article 3 of Chapter 11 of Title 16 of the Official Code of Georgia Annotated, relating to invasions of privacy, so as to provide a short title; to provide findings of fact; to define certain terms; to provide that it shall be illegal for a telephone records broker to obtain or release certain customer information; to provide for penalties; to provide for exceptions; to amend Code Section 43-38-11 of the Official Code of Georgia Annotated, relating to denial, revocation, or sanction of licenses and registrations, action by the Georgia Board of Private Detective and Security Agencies, and judicial review, so as to provide that it shall be grounds for such board to deny or revoke a license if the applicant has obtained certain customer information; to amend Chapter 5 of Title 46 of the Official Code of Georgia Annotated, relating to telephone and telegraph service, so as to define certain terms; to provide that no telecommunications company may release certain customer information; to provide for exceptions; to provide for action in the event of a breach of security; to provide for customer notification; to provide that a violation of such provisions shall be an unfair or deceptive practice in consumer transactions; to provide for an effective date; to provide for related matters; to repeal conflicting laws; and for other purposes.

BE IT ENACTED BY THE GENERAL ASSEMBLY OF GEORGIA:

SECTION 1.

This Act shall be known and may be cited as the "Telephone Records Privacy Protection Act."

SECTION 2.

The General Assembly finds that:

(1) Telephone records can be of great use to criminals because the information contained in call logs listed in such records include a wealth of personal data;

(2) Many call logs reveal the names of telephone userś doctors, public and private relationships, business associates, and more;

(3) Although other personal information such as social security numbers may appear on public documents, which can be accessed by data brokers, the only warehouse of telephone records is located at the telephone companies themselves;

(4) Telephone records are sometimes accessed without authorization of the customer by:

(A) An employee of the telephone service provider selling the data; and

(B) "Pretexting," whereby a data broker or other person pretends to be the owner of the telephone and convinces the telephone companýs employees to release the data to such person; and

(5) Telephone companies encourage customers to manage their accounts online with many setting up the online capability in advance, although many customers never access their account online. If someone seeking the information activates the account before the customer, he or she can gain unfettered access to the telephone records and call logs of that customer.

SECTION 3.

Article 3 of Chapter 11 of Title 16 of the Official Code of Georgia Annotated, relating to invasions of privacy, is amended by inserting a new Code section to read as follows:

"16-11-70.

(a) As used in this Code section, the term:

(1) 'End user' means any person, corporation, partnership, firm, municipality, cooperative, organization, governmental agency, building owner, or other entity provided with a telecommunications service for its own consumption and not for resale.

(2) 'Telephone record' means information retained by a telecommunications company that relates to the telephone number dialed by the customer, the number of telephone calls directed to a customer, or other data related to the telephone calls typically contained on a customer telephone bill, such as the time the calls started and ended, the duration of the calls, the time of day the calls were made, and any charges applied. For purposes of this Code section, any information collected and retained by, or on behalf of, customers utilizing caller identification or other similar technology does not constitute a telephone record.

(3) 'Telephone records broker' means any person or organization that is neither a telecommunications company nor a vendor or supplier for a telecommunications company obligated by contract to protect the confidentiality of telephone records and that purchases, acquires, sells, or releases the telephone record of any third party with whom it has no prior or existing business relationship or that attempts to purchase, acquire, sell, or release the telephone record of any party with whom it has no prior or existing business relationship.

(b) It is unlawful for any telephone records broker to purchase, acquire, sell, or release the telephone records of any person who is a Georgia resident or to attempt to purchase, acquire, sell, or release the telephone record of any third party who is a Georgia resident. This Code section applies whether the customeŕs telephone record is obtained by the telephone records broker directly from a telecommunications company or from any other third-party source. For purposes of this Code section, a person is a Georgia resident if the individual has a Georgia billing address.

(c) A violation of any provision of this Code section shall be punishable by a civil fine in an amount not to exceed $10,000.00 for each violation. The prosecuting attorney or the Attorney General shall be authorized to prosecute the civil case. Each telephone record purchased, acquired, sold, or released and each attempt to purchase, acquire, sell, or release a telephone record constitutes a separate violation of this Code section.

(d) Any violation of this Code section shall constitute a tort and shall create a right of action in the person or entity whose telephone records have been purchased, acquired, sold, or released for which damages may be recovered. Special damages may be inferred by the violation. Reasonable attorneýs fees shall be awarded to the plaintiff where the plaintiff has prevailed in the underlying action.

(e) No provision of this Code section shall be construed to prevent any action by a law enforcement agency or any officer, employee, or agent of a law enforcement agency to obtain the telephone records or personal identifying information of any third party who is a Georgia resident in connection with the performance of the official duties of the agency, officer, employee, or agent."

SECTION 4.

Code Section 43-38-11 of the Official Code of Georgia Annotated, relating to denial, revocation, or sanction of licenses and registrations, action by the Georgia Board of Private Detective and Security Agencies, and judicial review, is amended by striking the word "or" at the end of paragraph (14) of subsection (a), by striking the period at the end of paragraph (15) of subsection (a) and inserting in lieu thereof "; or", and by inserting immediately following paragraph (15) of subsection (a) a new paragraph to read as follows:

"(16) Purchased, acquired, sold, or released the telephone records, as such term is defined in Code Section 46-5-210, of any third party who is a Georgia resident."

SECTION 5.

Chapter 5 of Title 46 of the Official Code of Georgia Annotated, relating to telephone and telegraph service, is amended by inserting at the end thereof a new article to read as follows:

"ARTICLE 6.

46-5-210.

(a) As used in this article, the term:

(1) 'Breach of telephone records' means the unauthorized acquisition of telephone records that compromises the security, confidentiality, or integrity of that information as maintained by the telecommunications company.

(2) 'End user' means any person, corporation, partnership, firm, municipality, cooperative, organization, governmental agency, building owner, or other entity provided with a telecommunications service for its own consumption and not for resale.

(3) 'Notice' means:

(A) Written notice;

(B) Electronic notice, if the notice provided is consistent with the provisions regarding electronic records and signatures set forth in Section 7001 of Title 15 of the United States Code; or

(C) Substitute notice, if the telecommunications company demonstrates that the cost of providing notice would exceed $250,000.00, that the affected class to be notified exceeds 500,000 individuals, or that the telecommunications company does not have sufficient contact information to provide written or electronic notice to such individuals. Substitute notice shall consist of all of the following:

(i) E-mail notice, if the telecommunications company has e-mail addresses for the individuals to be notified;

(ii) Conspicuous posting of the notice on the telecommunications companýs website, if the telecommunications company maintains one; and

(iii) Notification to major state-wide media.

(4) 'Telephone record' means information retained by a telecommunications company that relates to the telephone number dialed by the customer, the number of telephone calls directed to a customer, or other data related to the telephone calls typically contained on a customer telephone bill, such as the time the calls started and ended, the duration of the calls, the time of day the calls were made, and any charges applied. For purposes of this article, any information collected and retained by, or on behalf of, customers utilizing caller identification or other similar technology does not constitute a telephone record.

46-5-211.

No telecommunications company may release the telephone records of any end user with a Georgia billing address without the express consent of the end user except with proper law enforcement or court order documentation, as otherwise allowed by law, or by an interconnection agreement that has been approved by the Public Service Commission.

46-5-212.

Each telecommunications company shall provide annually to the office of the Attorney General certification that it has established operating procedures for security of telephone records that are adequate to ensure compliance with 47 U.S.C. Section 222 and any rules promulgated thereunder.

46-5-213.

No provision of this article shall be construed to prohibit a telecommunications company, vendor, or supplier from obtaining, using, releasing, or permitting access to any telephone record of any end user with a Georgia billing address:

(1) As otherwise authorized or permitted by law or by an interconnection agreement that has been approved by the Public Service Commission;

(2) With the lawful consent of the end user or the end useŕs designated representative;

(3) As necessary for the provision of services and management of the network, for the protection of the rights or property of the provider, for the protection of end users, and for the protection of other telecommunications companies from fraudulent, abusive, or unlawful use of or subscription to services;

(4) To a governmental entity, if the telecommunications company reasonably believes that an emergency involving the immediate danger of death or serious physical injury to any person justifies disclosure of the information;

(5) To the National Center for Missing and Exploited Children, in connection with the report submitted thereto under Section 227 of the federal Victims of Child Abuse Act of 1990;

(6) To the telecommunications companýs affiliates, agents, suppliers, vendors, or subcontractors to provide service or billing functions; or

(7) To a court or party to a legal proceeding pursuant to a court order, subpoena, notice to produce, or discovery in that proceeding.

46-5-214.

(a) In the event of a breach of a telephone record concerning a Georgia resident, the telecommunications company must provide notice to the Georgia resident immediately following discovery or notification of the breach if such breach is reasonably likely to cause quantifiable harm to the Georgia resident. The notice must be made in the most expedient manner possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach and restore the reasonable integrity, security, and confidentiality of the telephone record.

(b) Notwithstanding any provisions of this article to contrary, a telecommunications company that maintains its own notification procedures as part of an information security policy for the treatment of personal information and is otherwise consistent with the timing requirements of this Code section shall be deemed to be in compliance with the notification requirements of this Code section if it notifies the individuals who are the subject of the notice in accordance with its policies in the event of a breach of the security of the system.

(c) The notice required by this Code section shall be delayed if a law enforcement agency informs the business that notification may impede a criminal investigation or jeopardize national or homeland security, provided that such request is made in writing or the business documents such request contemporaneously in writing, including the name of the law enforcement officer making the request and the officeŕs law enforcement agency engaged in the investigation. The notice required by this Code section shall be provided without unreasonable delay after the law enforcement agency communicates to the business its determination that notice will no longer impede the investigation or jeopardize national or homeland security.

(d) A violation of this Code section constitutes an unfair or deceptive practice in consumer transactions within the meaning of Part 2 of Article 15 of Chapter 1 of Title 10, the 'Fair Business Practices Act of 1975.'"

SECTION 6.

This Act shall become effective upon its approval by the Governor or upon its becoming law without such approval.

SECTION 7.

All laws and parts of laws in conflict with this Act are repealed.