TITLE 10
COMMERCE AND TRADE
Section 1. Selling and Other Trade Practices, 10-1-1 through 10-1-915.
ARTICLE 34
IDENTITY THEFT
10-1-911. Definitions.
As used in this article, the term:
-
"Breach of the security of the system" means unauthorized acquisition of an individual's electronic data that compromises the security, confidentiality, or integrity of personal information of such individual maintained by an information broker or data collector. Good faith acquisition or use of personal information by an employee or agent of an information broker or data collector for the purposes of such information broker or data collector is not a breach of the security of the system, provided that the personal information is not used or subject to further unauthorized disclosure.
-
"Data collector" means any state or local agency or subdivision thereof including any department, bureau, authority, public university or college, academy, commission, or other government entity; provided, however, that the term "data collector" shall not include any governmental agency whose records are maintained primarily for traffic safety, law enforcement, or licensing purposes or for purposes of providing public access to court records or to real or personal property information.
-
"Information broker" means any person or entity who, for monetary fees or dues, engages in whole or in part in the business of collecting, assembling, evaluating, compiling, reporting, transmitting, transferring, or communicating information concerning individuals for the primary purpose of furnishing personal information to nonaffiliated third parties, but does not include any governmental agency whose records are maintained primarily for traffic safety, law enforcement, or licensing purposes.
-
"Notice" means:
-
Written notice;
-
Telephone notice;
-
Electronic notice, if the notice provided is consistent with the provisions regarding electronic records and signatures set forth in Section 7001 of Title 15 of the United States Code; or
-
Substitute notice, if the information broker or data collector demonstrates that the cost of providing notice would exceed $50,000.00, that the affected class of individuals to be notified exceeds 100,000, or that the information broker or data collector does not have sufficient contact information to provide written or electronic notice to such individuals. Substitute notice shall consist of all of the following:
-
E-mail notice, if the information broker or data collector has an e-mail address for the individuals to be notified;
-
Conspicuous posting of the notice on the information broker's or data collector's website page, if the information broker or data collector maintains one; and
-
Notification to major state-wide media.
Notwithstanding any provision of this paragraph to the contrary, an information broker or data collector that maintains its own notification procedures as part of an information security policy for the treatment of personal information and is otherwise consistent with the timing requirements of this article shall be deemed to be in compliance with the notification requirements of this article if it notifies the individuals who are the subjects of the notice in accordance with its policies in the event of a breach of the security of the system.
-
"Person" means any individual, partnership, corporation, limited liability company, trust, estate, cooperative, association, or other entity. The term "person" as used in this article shall not be construed to require duplicative reporting by any individual, corporation, trust, estate, cooperative, association, or other entity involved in the same transaction.
-
"Personal information" means an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted:
-
Social security number;
-
Driver's license number or state identification card number;
-
Account number, credit card number, or debit card number, if circumstances exist wherein such a number could be used without additional identifying information, access codes, or passwords;
-
Account passwords or personal identification numbers or other access codes; or
-
Any of the items contained in subparagraphs (A) through (D) of this paragraph when not in connection with the individual's first name or first initial and last name, if the information compromised would be sufficient to perform or attempt to perform identity theft against the person whose information was compromised.
The term "personal information" does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.
(Code 1981, §10-1-911, enacted by Ga. L. 2005, p. 851, § 1/SB 230; Ga. L. 2007, p. 450, § 2/SB 236.)
Editor's notes.
- Ga. L. 2007, p. 450,
§
1, not codified by the General Assembly, provides: "This Act shall be known and may be cited as the 'Georgia Personal Identity Protection Act.'"
JUDICIAL DECISIONS
Tort action for wrongful disclosure of private information dismissed for failure to state cause of action.
- Dismissal of the plaintiff's cause of action against a state agency for disclosure of private information in violation of the Georgia Personal Identity Protection Act (GPIPA), O.C.G.A.
§
10-1-910 et seq., was affirmed for failure to state a claim because the GPIPA did not impose any standard of conduct in implementing and maintaining data security practices; thus, it could not serve as the source of a statutory duty to safeguard personal information. McConnell v. Department of Labor, 337 Ga. App. 457, 787 S.E.2d 794 (2016).