07 SB236/AP
Senate
Bill 236
By:
Senators Rogers of the 21st, Hudgens of the 47th, Thompson of the 33rd, Goggans
of the 7th, Hawkins of the 49th and others
AS PASSED
AS PASSED
AN
ACT
To
amend Article 34 of Chapter 1 of Title 10 of the Official Code of Georgia
Annotated, relating to identity theft, so as to provide for definitions; to
provide for notification by certain data collectors upon a breach of security
regarding personal information; to amend Article 8 of Chapter 9 of Title 16 of
the Official Code of Georgia Annotated, relating to the offense of identity
fraud, so as to change certain provisions relating to the elements of the
offense of identity fraud; to create the offense of identity fraud by receipt of
fraudulent identification information; to provide for a victim´s right to
file a report with a law enforcement agency; to provide a short title; to modify
certain penalties; to provide for related matters; to provide an effective date;
to repeal conflicting laws; and for other purposes.
BE
IT ENACTED BY THE GENERAL ASSEMBLY OF GEORGIA:
SECTION
1.
This
Act shall be known and may be cited as the "Georgia Personal Identity Protection
Act."
SECTION
2.
Article
34 of Chapter 1 of Title 10 of the Official Code of Georgia Annotated, relating
to identity theft, is amended by revising Code Section 10-1-911, relating to
definitions, as follows:
"10-1-911.
As
used in this article, the term:
(1)
'Breach of the security of the system' means unauthorized acquisition of an
individual´s electronic data that compromises the security,
confidentiality, or integrity of personal information of such individual
maintained by an information broker or data collector. Good faith acquisition
or use of personal information by an employee or agent of an information broker
or data collector for the purposes of such information broker or data collector
is not a breach of the security of the system, provided that the personal
information is not used or subject to further unauthorized
disclosure.
(2)
'Data collector' means any state or local agency or subdivision thereof
including any department, bureau, authority, public university or college,
academy, commission, or other government entity; provided, however, that the
term 'data collector' shall not include any governmental agency whose records
are maintained primarily for traffic safety, law enforcement, or licensing
purposes or for purposes of providing public access to court records or to real
or personal property information.
(3)
'Information broker' means any person or entity who, for monetary fees or dues,
engages in whole or in part in the business of collecting, assembling,
evaluating, compiling, reporting, transmitting, transferring, or communicating
information concerning individuals for the primary purpose of furnishing
personal information to nonaffiliated third parties, but does not include any
governmental agency whose records are maintained primarily for traffic safety,
law enforcement, or licensing purposes.
(4)
'Notice' means:
(A)
Written notice;
(B)
Telephone notice;
(C)
Electronic notice, if the notice provided is consistent with the provisions
regarding electronic records and signatures set forth in Section 7001 of Title
15 of the United States Code; or
(D)
Substitute notice, if the information broker or data collector demonstrates that
the cost of providing notice would exceed $50,000.00, that the affected class of
individuals to be notified exceeds 100,000, or that the information broker or
data collector does not have sufficient contact information to provide written
or electronic notice to such individuals. Substitute notice shall consist of
all of the following:
(i)
E-mail notice, if the information broker or data collector has an e-mail address
for the individuals to be notified;
(ii)
Conspicuous posting of the notice on the information broker´s or data
collector´s website page, if the information broker or data collector
maintains one; and
(iii)
Notification to major state-wide media.
Notwithstanding
any provision of this paragraph to the contrary, an information broker or data
collector that maintains its own notification procedures as part of an
information security policy for the treatment of personal information and is
otherwise consistent with the timing requirements of this article shall be
deemed to be in compliance with the notification requirements of this article if
it notifies the individuals who are the subjects of the notice in accordance
with its policies in the event of a breach of the security of the
system.
(5)
'Person' means any individual, partnership, corporation, limited liability
company, trust, estate, cooperative, association, or other entity. The term
'person' as used in this article shall not be construed to require duplicative
reporting by any individual, corporation, trust, estate, cooperative,
association, or other entity involved in the same transaction.
(6)
'Personal information' means an individual´s first name or first initial
and last name in combination with any one or more of the following data
elements, when either the name or the data elements are not encrypted or
redacted:
(A)
Social security number;
(B)
Driver´s license number or state identification card number;
(C)
Account number, credit card number, or debit card number, if circumstances exist
wherein such a number could be used without additional identifying information,
access codes, or passwords;
(D)
Account passwords or personal identification numbers or other access codes;
or
(E)
Any of the items contained in subparagraphs (A) through (D) of this paragraph
when not in connection with the individual´s first name or first initial
and last name, if the information compromised would be sufficient to perform or
attempt to perform identity theft against the person whose information was
compromised.
The
term 'personal information' does not include publicly available information that
is lawfully made available to the general public from federal, state, or local
government records."
SECTION
3.
Said
article is further amended by revising Code Section 10-1-912, relating to
notification required upon breach of security regarding personal information, as
follows:
"10-1-912.
(a)
Any information broker or data collector that maintains computerized data that
includes personal information of individuals shall give notice of any breach of
the security of the system following discovery or notification of the breach in
the security of the data to any resident of this state whose unencrypted
personal information was, or is reasonably believed to have been, acquired by an
unauthorized person. The notice shall be made in the most expedient time
possible and without unreasonable delay, consistent with the legitimate needs of
law enforcement, as provided in subsection (c) of this Code section, or with any
measures necessary to determine the scope of the breach and restore the
reasonable integrity, security, and confidentiality of the data
system.
(b)
Any person or business that maintains computerized data on behalf of an
information broker or data collector that includes personal information of
individuals that the person or business does not own shall notify the
information broker or data collector of any breach of the security of the system
within 24 hours following discovery, if the personal information was, or is
reasonably believed to have been, acquired by an unauthorized
person.
(c)
The notification required by this Code section may be delayed if a law
enforcement agency determines that the notification will compromise a criminal
investigation. The notification required by this Code section shall be made
after the law enforcement agency determines that it will not compromise the
investigation.
(d)
In the event that an information broker or data collector discovers
circumstances requiring notification pursuant to this Code section of more than
10,000 residents of this state at one time, the information broker or data
collector shall also notify, without unreasonable delay, all consumer reporting
agencies that compile and maintain files on consumers on a nation-wide basis, as
defined by 15 U.S.C. Section 1681a, of the timing, distribution, and content of
the notices."
SECTION
4.
Article
8 of Chapter 9 of Title 16 of the Official Code of Georgia Annotated, relating
to the offense of identity fraud, is amended by revising Code Section 16-9-121,
relating to the elements of the offense, as follows:
"16-9-121.
(a)
A person commits the offense of identity fraud when he or she willfully and
fraudulently:
(1)
Without authorization or consent, uses or possesses with intent to fraudulently
use, identifying information concerning an individual;
(2)
Uses identifying information of an individual under 18 years old over whom he or
she exercises custodial authority;
(3)
Uses or possesses with intent to fraudulently use, identifying information
concerning a deceased individual;
(4)
Creates, uses, or possesses with intent to fraudulently use, any counterfeit or
fictitious identifying information concerning a fictitious individual with
intent to use such counterfeit or fictitious identification information for the
purpose of committing or facilitating the commission of a crime or fraud on
another person; or
(5)
Without authorization or consent, creates, uses, or possesses with intent to
fraudulently use, any counterfeit or fictitious identifying information
concerning a real individual with intent to use such counterfeit or fictitious
identification information for the purpose of committing or facilitating the
commission of a crime or fraud on another person.
(b)
A person commits the offense of identity fraud by receipt of fraudulent
identification information when he or she willingly accepts for identification
purposes identifying information which he or she knows to be fraudulent, stolen,
counterfeit, or fictitious. In any prosecution under this subsection it shall
not be necessary to show a conviction of the principal thief, counterfeiter, or
fraudulent user.
(c)
The offenses created by this Code section shall not merge with any other
offense.
(d)
This Code section shall not apply to a person under the age of 21 who uses a
fraudulent, counterfeit, or other false identification card for the purpose of
obtaining entry into a business establishment or for purchasing items which he
or she is not of legal age to purchase."
SECTION
5.
Said
article is further amended by adding a new Code section as follows:
"16-9-125.1.
(a)
A person who has learned or reasonably believes that he or she has been the
victim of identity fraud may contact the local law enforcement agency with
jurisdiction over his or her actual residence for the purpose of making an
incident report. The law enforcement agency having jurisdiction over the
complainant´s residence shall make a report of the complaint and provide
the complainant with a copy of the report. Where jurisdiction for the
investigation and prosecution of the complaint lies with another agency, the law
enforcement agency making the report shall forward a copy to the agency having
such jurisdiction and shall advise the complainant that the report has been so
forwarded.
(b)
Nothing in this Code section shall be construed so as to interfere with the
discretion of a law enforcement agency to allocate resources for the
investigation of crimes. A report created pursuant to this Code section is not
required to be counted as an open case file."
SECTION
6.
Said
article is further amended by revising Code Section 16-9-126, relating to
penalties for violations, as follows:
"16-9-126.
(a)
A violation of this article, other than a violation of Code Section 16-9-122,
shall be punishable by imprisonment for not less than one nor more than ten
years or a fine not to exceed $100,000.00, or both. Any person who commits such
a violation for the second or any subsequent offense shall be punished by
imprisonment for not less than three nor more than 15 years, a fine not to
exceed $250,000.00, or both.
(b)
A violation of this article which does not involve the intent to commit theft or
appropriation of any property, resource or other thing of value that is
committed by a person who is less than 21 years of age, shall be punishable by
imprisonment for not less than one nor more than three years or a fine not to
exceed $ 5,000.00, or both.
(c)
Any person found guilty of a violation of this article may be ordered by the
court to make restitution to any consumer victim or any business victim of such
fraud.
(d)
Each violation of this article shall constitute a separate offense.
(e)
Upon a conviction of a violation of this article, the court may issue any order
necessary to correct a public record that contains false information resulting
from the actions which resulted in the conviction."
SECTION
7.
This
Act shall become effective upon its approval by the Governor or upon its
becoming law without such approval and Section 4 shall apply to all offenses
occurring on or after such date.
SECTION
8.
All
laws and parts of laws in conflict with this Act are repealed.