Mandated Timeframe for Breach Reporting and/or Consumer Notification

Without unreasonable delay
Laws related specifically to personal information
  • Breach Reporting & Consumer Notification
  • Protect Personal Information
  • Program for Protection/Security
  • Vendor Specific Obligations
  • Vendor Mandated Contracts
  • Employee Training
  • Required Disposal of Retained Personal Information
  • Require Vendors to Protect Personal Information
  • Verification of Vendor Protection/Security Program
  • Vendor Notification to Organization of Breach/Suspected breach
Fines & Penalties

Violations of breach notification laws:

- Not applicable

Regulation Levels
  • Breach Reporting
  • Consumer Notifications
  • Vendor Management
  • Vendor Contract Required
Level Description
  • None to minimal
  • Basic Requirements
  • Comprehensive Requirements
  • Extensive Requirements
Quick Facts
  • Vendors must notify Organizations within 24 hours after discovery of a breach or suspected breach. The Organization will be responsible to complete any required regulatory reporting and consumer notification.
  • Breach reporting to all consumer reporting agencies that compile and maintain files on consumers on a nation-wide basis is required when consumer notification was made to more than 10,000 residents of this state at one time, without unreasonable delay.
  • If a breach affects residents of other jurisdictions, those individuals must be notified based on the breach notification laws of the jurisdiction where they reside.
  • Organizations and Vendors in the business of destroying records must have measures in place for the secure destruction of records containing personal information so the records are unreadable or undecipherable.
  • Businesses in violation of data protection laws may incur fines up to $250 for the first violation and up to $1,000 for a second or subsequent violation.
  • Businesses in violation of data disposal law may incur fines up to $500 for each customer’s record that contains personal information that is wrongfully disposed of or discarded; with a total fine up to $10,000.
  • Organizations may be fined or penalized for Vendor violations.
  • There are separate laws covering data for education and health.
Statutes and Laws
  • O.C.G.A. §§ 10-1-910 – 10-1-912 Notification required upon breach of security regarding personal information 
  • O.C.G.A. § 10-1-393.8 Protection from disclosure of an individual’s social security number
  • O.C.G.A. §§ 10-15-1 – 10-15-7 Disposal of business records containing personal information; Handling of receipts for credit card transactions; Prohibited activities involving magnetic strip or stripe on payment card
  • O.C.G.A. §§ 20-2-660 – 20-2-668 Student Data Privacy, Accessibility, and Transparency Act
  • O.C.G.A. §§ 31-33-1 – 31-33-8 Health Records 
  • O.C.G.A. § 33-24-57.1 Health insurance identification card; issue required; contents; updating; social security numbers not to be displayed 
  • O.C.G.A. § 46-5-214 Action in event of telephone record security breach
BAck to map