07 LC
25 4900S
The
Senate Agriculture and Consumer Affairs Committee offered the following
substitute to SB 236:
A
BILL TO BE ENTITLED
AN ACT
AN ACT
To
amend Article 34 of Chapter 1 of Title 10 of the Official Code of Georgia
Annotated, relating to identity theft, so as to provide for definitions; to
provide for notification by certain data collectors upon a breach of security
regarding personal information; to amend Article 8 of Chapter 9 of Title 16 of
the Official Code of Georgia Annotated, relating to the offense of identity
fraud, so as to change certain provisions relating to the elements of the
offense of identity fraud; to create the offense of identity fraud by receipt of
fraudulent identification information; to provide for a victim´s right to
file a report with a law enforcement agency; to provide a short title; to modify
certain penalties; to provide for related matters; to provide an effective date;
to repeal conflicting laws; and for other purposes.
BE
IT ENACTED BY THE GENERAL ASSEMBLY OF GEORGIA:
SECTION
1.
This
Act shall be known and may be cited as the "Georgia Personal Identity Protection
Act."
SECTION
2.
Article
34 of Chapter 1 of Title 10 of the Official Code of Georgia Annotated, relating
to identity theft, is amended by revising Code Section 10-1-911, relating to
definitions, as follows:
"10-1-911.
As
used in this article, the term:
(1)
'Breach of the security of the system' means unauthorized acquisition of an
individual´s
computerized
data that compromises the security, confidentiality, or integrity of personal
information of such individual maintained by an information broker
or data
collector. Good faith acquisition
or
use of personal information by an employee
or agent of an information broker
or data
collector for the purposes of such
information broker
or data
collector is not a breach of the security
of the system, provided that the personal information is not used or subject to
further unauthorized disclosure.
(2)
'Data collector' means any state or local agency or subdivision thereof
including any department, bureau, authority, public university or college,
academy, commission, or other government entity or any private university or
college; provided, however, that the term 'data collector' shall not include any
agency whose records are maintained primarily for traffic safety, law
enforcement, or licensing purposes.
(2)(3)
'Information broker' means any person or entity who, for monetary fees or dues,
engages in whole or in part in the business of collecting, assembling,
evaluating, compiling, reporting, transmitting, transferring, or communicating
information concerning individuals for the primary purpose of furnishing
personal information to nonaffiliated third parties, but does not include any
governmental agency whose records are maintained primarily for traffic safety,
law enforcement, or licensing purposes.
(3)(4)
'Notice' means:
(A)
Written notice;
(B)
Telephone
notice;
(C)
Electronic notice, if the notice provided is consistent with the provisions
regarding electronic records and signatures set forth in Section 7001 of Title
15 of the United States Code; or
(C)(D)
Substitute notice, if the information broker
or data
collector demonstrates that the cost of
providing notice would exceed
$250,000.00
$50,000.00,
that the affected class of individuals to be notified exceeds
500,000
100,000,
or that the information broker
or data
collector does not have sufficient contact
information to provide written or electronic notice to such individuals.
Substitute notice shall consist of all of the following:
(i)
E-mail notice, if the information broker
or data
collector has an e-mail address for the
individuals to be notified;
(ii)
Conspicuous posting of the notice on the information broker´s
or data
collector´s website page, if the
information broker
or data
collector maintains one; and
(iii)
Notification to major state-wide media.
Notwithstanding
any provision of this paragraph to the contrary, an information broker
or data
collector that maintains its own
notification procedures as part of an information security policy for the
treatment of personal information and is otherwise consistent with the timing
requirements of this article shall be deemed to be in compliance with the
notification requirements of this article if it notifies the individuals who are
the subjects of the notice in accordance with its policies in the event of a
breach of the security of the system.
(4)(5)
'Person' means any individual, partnership, corporation, limited liability
company, trust, estate, cooperative, association, or other entity. The term
'person' as used in this article shall not be construed to require duplicative
reporting by any individual, corporation, trust, estate, cooperative,
association, or other entity involved in the same transaction.
(5)(6)
'Personal information' means an individual´s first name or first
initial,
and last name,
address, or phone number, in combination
with any one or more of the following data elements, when either the name or the
data elements are not encrypted or redacted:
(A)
Social security number;
(B)
Driver´s license number or state identification card number;
(C)
Account number, credit card number, or debit card number, if circumstances exist
wherein such a number could be used without additional identifying information,
access codes, or passwords;
(D)
Account passwords or personal identification numbers or other access codes;
or
(E)
Any of the items contained in subparagraphs (A) through (D) of this paragraph
when not in connection with the individual´s first name or first initial
and last name, if the information compromised would be sufficient to perform or
attempt to perform identity theft against the person whose information was
compromised.
The
term 'personal information' does not include publicly available information that
is lawfully made available to the general public from federal, state, or local
government records."
SECTION
3.
Said
article is further amended by revising Code Section 10-1-912, relating to
notification required upon breach of security regarding personal information, as
follows:
"10-1-912.
(a)
Any information broker
or data
collector that maintains computerized data
that includes personal information of individuals shall give notice of any
breach of the security of the system following discovery or notification of the
breach in the security of the data to any resident of this state whose
unencrypted personal information was, or is reasonably believed to have been,
acquired by an unauthorized person. The notice shall be made in the most
expedient time possible and without unreasonable delay, consistent with the
legitimate needs of law enforcement, as provided in subsection (c) of this Code
section, or with any measures necessary to determine the scope of the breach and
restore the reasonable integrity, security, and confidentiality of the data
system.
(b)
Any person or business that maintains computerized data on behalf of an
information broker
or data
collector that includes personal
information of individuals that the person or business does not own shall notify
the information broker
or data
collector of any breach of the security of
the data immediately following discovery, if the personal information was, or is
reasonably believed to have been, acquired by an unauthorized
person.
(c)
The notification required by this Code section may be delayed if a law
enforcement agency determines that the notification will compromise a criminal
investigation. The notification required by this Code section shall be made
after the law enforcement agency determines that it will not compromise the
investigation.
(d)
In the event that an information broker
or data
collector discovers circumstances
requiring notification pursuant to this Code section of more than 10,000
residents of this state at one time, the information broker
or data
collector shall also notify, without
unreasonable delay, all consumer reporting agencies that compile and maintain
files on consumers on a nation-wide basis, as defined by 15 U.S.C. Section
1681a, of the timing, distribution, and content of the
notices."
SECTION
4.
Article
8 of Chapter 9 of Title 16 of the Official Code of Georgia Annotated, relating
to the offense of identity fraud, is amended by revising Code Section 16-9-121,
relating to the elements of the offense, as follows:
"16-9-121.
(a)
A person commits the offense of identity fraud when
without the
authorization or permission of a person with the intent unlawfully to
appropriate resources of or cause physical harm to that person, or of any other
person, to his or her own use or to the use of a third
party he or she
willfully and
fraudulently:
(1)
Obtains or records identifying information of a person which would assist in
accessing the resources of that person or any other person; or
(2)
Accesses or attempts to access the resources of a person through the use of
identifying information.
(1)
Without authorization or consent, uses or possesses with intent to fraudulently
use, identifying information concerning an individual;
(2)
Uses identifying information of an individual under 18 years old over whom he or
she exercises custodial authority;
(3)
Uses or possesses with intent to fraudulently use, identifying information
concerning a deceased individual;
(4)
Creates, uses, or possesses with intent to fraudulently use, any counterfeit or
fictitious identifying information concerning a fictitious individual with
intent to use such counterfeit or fictitious identification information for the
purpose of committing or facilitating the commission of a crime or fraud on
another person; or
(5)
Without authorization or consent, creates, uses, or possesses with intent to
fraudulently use, any counterfeit or fictitious identifying information
concerning a real individual with intent to use such counterfeit or fictitious
identification information for the purpose of committing or facilitating the
commission of a crime or fraud on another person.
(b)
A person commits the offense of identity fraud by receipt of fraudulent
identification information when he or she willingly accepts for identification
purposes identifying information which he or she knows to be fraudulent, stolen,
counterfeit, or fictitious. In any prosecution under this subsection it shall
not be necessary to show a conviction of the principal thief, counterfeiter, or
fraudulent user.
(c)
The offenses created by this Code section shall not merge with any other
offense."
SECTION
5.
Said
article is further amended by adding a new Code section as follows:
"16-9-125.1.
(a)
A person who has learned or reasonably believes that he or she has been the
victim of identity fraud may contact the local law enforcement agency with
jurisdiction over his or her actual residence for the purpose of making an
incident report. The law enforcement agency having jurisdiction over the
complainant´s residence shall make a report of the complaint and provide
the complainant with a copy of the report. Where jurisdiction for the
investigation and prosecution of the complaint lies with another agency, the law
enforcement agency making the report shall forward a copy to the agency having
such jurisdiction and shall advise the complainant that the report has been so
forwarded.
(b)
Nothing in this Code section shall be construed so as to interfere with the
discretion of a law enforcement agency to allocate resources for the
investigation of crimes. A report created pursuant to this Code section is not
required to be counted as an open case file."
SECTION
6.
Said
article is further amended by revising Code Section 16-9-126, relating to
penalties for violations, as
follows:
"16-9-126.
"16-9-126.
(a)
A violation of this article, other than a violation of Code Section 16-9-122,
shall be punishable by imprisonment for not less than one nor more than ten
years or a fine not to exceed $100,000.00, or both. Any person who commits such
a violation for the second or any subsequent offense shall be punished by
imprisonment for not less than three nor more than 15 years, a fine not to
exceed $250,000.00, or both.
(b)
A violation of this article which does not involve the intent to commit theft or
appropriation of any property, resource or other thing of value that is
committed by a person who is less than 21 years of age, shall be punishable by
imprisonment for not less than one nor more than three years or a fine not to
exceed $ 5,000.00, or both.
(b)(c)
Any person found guilty of a violation of this article may be ordered by the
court to make restitution to any consumer victim or any business victim of such
fraud.
(c)(d)
Each violation of this article shall constitute a separate offense.
(d)(e)
Upon a conviction of a violation of this article, the court may issue any order
necessary to correct a public record that contains false information resulting
from the actions which resulted in the conviction."
SECTION
7.
This
Act shall become effective upon its approval by the Governor or upon its
becoming law without such approval and Section 4 shall apply to all offenses
occurring on or after such date.
SECTION
8.
All
laws and parts of laws in conflict with this Act are repealed.