Staff Analysis of the Legislation
|
This legislation requires local governments to comply with the Georgia Personal Data Security Act. Because counties maintain electronic and physical copies of personal information, they must provide individuals with notice of any breach of security of the system that houses the personal information as soon as possible after the breach is discovered, but in no case later than 45 days. If the county uses a third party to store the personal information, the third party must notify the county within 72 hours of any data breach, so that the county can meet its notification requirements. If law enforcement determines that notification would impair an ongoing criminal investigation, notification can be delayed. If the county, after investigation and consultation with relevant federal, state or local law enforcement, determines that the breach was not likely to result in identify theft or financial harm to an individual, notification will not be necessary. The county will be required to provide a written certification within 30 days to the attorney general and to maintain a copy of the written certification for at least five years. |