07 LC
35 0506
Senate
Bill 236
By:
Senators Rogers of the 21st, Hudgens of the 47th, Thompson of the 33rd, Goggans
of the 7th, Hawkins of the 49th and others
A
BILL TO BE ENTITLED
AN ACT
AN ACT
To
amend Article 34 of Chapter 1 of Title 10 of the Official Code of Georgia
Annotated, relating to identity theft, so as to provide for definitions; to
provide for notification by certain state agencies upon a breach of security
regarding personal information; to amend Article 8 of Chapter 9 of Title 16 of
the Official Code of Georgia Annotated, relating to the offense of identity
fraud, so as to change certain provisions relating to the elements of the
offense of identity fraud; to provide for a victim´s right to file a report
with a law enforcement agency; to provide a short title; to provide for related
matters; to provide an effective date; to repeal conflicting laws; and for other
purposes.
BE
IT ENACTED BY THE GENERAL ASSEMBLY OF GEORGIA:
SECTION
1.
This
Act shall be known and may be cited as the "Georgia Personal Identity Protection
Act."
SECTION
2.
Article
34 of Chapter 1 of Title 10 of the Official Code of Georgia Annotated, relating
to identity theft, is amended by revising Code Section 10-1-911, relating to
definitions, as follows:
"10-1-911.
As
used in this article, the term:
(1)
'Breach of the security of the system' means unauthorized acquisition of an
individual´s computerized data that compromises the security,
confidentiality, or integrity of personal information of such individual
maintained by an information broker
or public
institution. Good faith acquisition of
personal information by an employee or agent of an information broker
or public
institution for the purposes of such
information broker
or public
institution is not a breach of the
security of the system, provided that the personal information is not used or
subject to further unauthorized disclosure.
(2)
'Information broker' means any person or entity who, for monetary fees or dues,
engages in whole or in part in the business of collecting, assembling,
evaluating, compiling, reporting, transmitting, transferring, or communicating
information concerning individuals for the primary purpose of furnishing
personal information to nonaffiliated third parties, but does not include any
governmental agency whose records are maintained primarily for traffic safety,
law enforcement, or licensing purposes.
(3)
'Notice' means:
(A)
Written notice;
(B)
Telephone
notice;
(C)
Electronic notice, if the notice provided is consistent with the provisions
regarding electronic records and signatures set forth in Section 7001 of Title
15 of the United States Code; or
(C)(D)
Substitute notice, if the information broker
or public
institution demonstrates that the cost of
providing notice would exceed
$250,000.00
$50,000.00,
that the affected class of individuals to be notified exceeds
500,000
100,000,
or that the information broker
or public
institution does not have sufficient
contact information to provide written or electronic notice to such individuals.
Substitute notice shall consist of all of the following:
(i)
E-mail notice, if the information broker
or public
institution has an e-mail address for the
individuals to be notified;
(ii)
Conspicuous posting of the notice on the information broker´s
or public
institution´s website page, if the
information broker
or public
institution maintains one;
and
(iii)
Notification to major state-wide media.
Notwithstanding
any provision of this paragraph to the contrary, an information broker
or public
institution that maintains its own
notification procedures as part of an information security policy for the
treatment of personal information and is otherwise consistent with the timing
requirements of this article shall be deemed to be in compliance with the
notification requirements of this article if it notifies the individuals who are
the subjects of the notice in accordance with its policies in the event of a
breach of the security of the system.
(4)
'Person' means any individual, partnership, corporation, limited liability
company, trust, estate, cooperative, association, or other entity. The term
'person' as used in this article shall not be construed to require duplicative
reporting by any individual, corporation, trust, estate, cooperative,
association, or other entity involved in the same transaction.
(5)
'Personal information' means an individual´s first name or first initial
and last name in combination with any one or more of the following data
elements, when either the name or the data elements are not encrypted or
redacted:
(A)
Social security number;
(B)
Driver´s license number or state identification card number;
(C)
Account number, credit card number, or debit card number, if circumstances exist
wherein such a number could be used without additional identifying information,
access codes, or passwords;
(D)
Account passwords or personal identification numbers or other access codes;
or
(E)
Any of the items contained in subparagraphs (A) through (D) of this paragraph
when not in connection with the individual´s first name or first initial
and last name, if the information compromised would be sufficient to perform or
attempt to perform identity theft against the person whose information was
compromised.
The
term 'personal information' does not include publicly available information that
is lawfully made available to the general public from federal, state, or local
government records.
(6)
'Public institution' means any state or local agency or subdivision thereof
including any department, bureau, authority, public university or college,
academy, commission, or other government entity; provided, however, that the
term 'public institution' shall not include any agency whose records are
maintained primarily for traffic safety, law enforcement, or licensing
purposes."
SECTION
3.
Said
article is further amended by revising Code Section 10-1-912, relating to
notification required upon breach of security regarding personal information, as
follows:
"10-1-912.
(a)
Any information broker
or public
institution that maintains computerized
data that includes personal information of individuals shall give notice of any
breach of the security of the system following discovery or notification of the
breach in the security of the data to any resident of this state whose
unencrypted personal information was, or is reasonably believed to have been,
acquired by an unauthorized person. The notice shall be made in the most
expedient time possible and without unreasonable delay, consistent with the
legitimate needs of law enforcement, as provided in subsection (c) of this Code
section, or with any measures necessary to determine the scope of the breach and
restore the reasonable integrity, security, and confidentiality of the data
system.
(b)
Any person or business that maintains computerized data on behalf of an
information broker
or public
institution that includes personal
information of individuals that the person or business does not own shall notify
the information broker
or public
institution of any breach of the security
of the data immediately following discovery, if the personal information was, or
is reasonably believed to have been, acquired by an unauthorized
person.
(c)
The notification required by this Code section may be delayed if a law
enforcement agency determines that the notification will compromise a criminal
investigation. The notification required by this Code section shall be made
after the law enforcement agency determines that it will not compromise the
investigation.
(d)
In the event that an information broker
or public
institution discovers circumstances
requiring notification pursuant to this Code section of more than 10,000
residents of this state at one time, the information broker
or public
institution shall also notify, without
unreasonable delay, all consumer reporting agencies that compile and maintain
files on consumers on a nation-wide basis, as defined by 15 U.S.C. Section
1681a, of the timing, distribution, and content of the
notices."
SECTION
4.
Article
8 of Chapter 9 of Title 16 of the Official Code of Georgia Annotated, relating
to the offense of identity fraud, is amended by revising Code Section 16-9-121,
relating to the elements of the offense, as follows:
"16-9-121.
(a)
A person commits the offense of identity fraud when
without the
authorization or permission of a person with the intent unlawfully to
appropriate resources of or cause physical harm to that person, or of any other
person, to his or her own use or to the use of a third
party he or she
willfully and
fraudulently:
(1)
Obtains or records identifying information of a person which would assist in
accessing the resources of that person or any other person; or
(2)
Accesses or attempts to access the resources of a person through the use of
identifying information.
(1)
Without authorization or consent, uses or possesses with intent to fraudulently
use, identifying information concerning an individual;
(2)
Uses identifying information of an individual under 18 years old over whom he or
she exercises custodial authority;
(3)
Uses or possesses with intent to fraudulently use, identifying information
concerning a deceased individual;
(4)
Creates, uses, or possesses with intent to fraudulently use, any counterfeit or
fictitious identifying information concerning a fictitious individual with
intent to use such counterfeit or fictitious identification information for the
purpose of committing or facilitating the commission of a crime or fraud on
another person; or
(5)
Without authorization or consent, creates, uses, or possesses with intent to
fraudulently use, any counterfeit or fictitious identifying information
concerning a real individual with intent to use such counterfeit or fictitious
identification information for the purpose of committing or facilitating the
commission of a crime or fraud on another person.
(b)
A person commits the offense of identity fraud by receipt of fraudulent
identification information when he or she willingly and knowingly receives and
accepts for identification purposes fraudulent, stolen, counterfeit, or
fictitious identifying information. In any prosecution under this subsection it
shall not be necessary to show a conviction of the principal thief or
counterfeiter.
(c)
The offenses created by this Code section shall not merge with any other
offense."
SECTION
5.
Said
article is further amended by adding a new Code section as follows:
"16-9-125.1.
(a)
A person who has learned or reasonably believes that he or she has been the
victim of identity fraud may contact the local law enforcement agency with
jurisdiction over his or her actual residence for the purpose of making an
incident report. The law enforcement agency having jurisdiction over the
complainant´s residence shall make a report of the complaint and provide
the complainant with a copy of the report. Where jurisdiction for the
investigation and prosecution of the complaint lies with another agency, the law
enforcement agency making the report shall forward a copy to the agency having
such jurisdiction and shall advise the complainant that the report has been so
forwarded.
(b)
Nothing in this Code section shall be construed so as to interfere with the
discretion of a law enforcement agency to allocate resources for the
investigation of crimes. A report created pursuant to this Code section is not
be required to be counted as an open case file."
SECTION
6.
This
Act shall become effective upon its approval by the Governor or upon its
becoming law without such approval and shall apply to all offenses occurring on
or after such date.
SECTION
7.
All
laws and parts of laws in conflict with this Act are repealed.