DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Ga. Senator Proposes Bill On Public Data Breach Investigations

Posted on January 21, 2016 by Dissent

Johnny Kauffman reports:

A bill filed in the Georgia Legislature by Sen. John Albers (R–Roswell) would mandate companies and state agencies provide details to the attorney general and the governor’s office and give authority to the attorney general’s office to conduct an investigation.

The Republican’s bill (SB 276) is called the “Georgia Personal Data Security Act,” and it would make significant changes to legislation passed in 2005 regarding identity theft.

Read more on WABE.

I’m not sure why the Governor’s office would need to be notified if the state attorney general is notified. A number of states already require notification to the state’s attorney general and state attorneys general already investigate breaches in a number of states, so this bill might bring Georgia more in line with other states.

The bill text reads pretty well as far as these types of bills go, until I got to this part:

Notwithstanding subsection (a) of this Code section, notice to individuals whose personal information has been accessed is not required if, after an appropriate investigation and consultation with relevant federal, state, or local law enforcement agencies, the covered entity reasonably determines that a breach of the security of the system has not and will not likely result in identity theft or any other financial harm to such individuals. Such a determination must be documented in writing and maintained for at least five years. The covered entity shall provide the written determination to the Attorney General within 30 days after the determination not to notify has been made.

So a breach that could cause significant social or emotional harm doesn’t have to be disclosed as long as it’s unlikely to result in identity theft or financial harm? That’s not good, and I hope someone will suggest this be amended, particularly since the bill does note that student information, including disciplinary records, are considered personal information for purposes of the proposed law. The bill also covers non-profits, which is good. But now realize that there’s more to harm than just identity theft and financial harm, and require notification where other kinds of harms are foreseeable.

And while the bill means well, I fear this part may set too low or vague a standard:

Each covered entity shall maintain reasonable safeguards to protect and secure personal information.

Overall, though, I am glad to see this bill proposed and hope that with proper tweaks, it passes.

Related posts:

  • Senator Toomey reintroduces bill to preempt state data breach notification laws
Category: Breach LawsLegislationState/Local

Post navigation

← ‘Dance Moms’ season 6 cast members hacked again
Alleged Scotiabank privacy breach leads to class action →

2 thoughts on “Ga. Senator Proposes Bill On Public Data Breach Investigations”

  1. IA Eng says:
    January 22, 2016 at 6:35 am

    What I don’t like about it is;
    “the covered entity reasonably determines that a breach of the security of the system has not and will not likely result in identity theft or any other financial harm to such individuals. Such a determination must be documented in writing and maintained for at least five years.”

    Does this mean the “covered entity” determines if it has been breached? Let’s say I have a business. An outsider reports to me that they think I’ve been breached. I ask my internal staff to look over the claim and report back to me. If they don’t find anything immmediately, I contact and submit my documentation in writing to the authorities and consider the case closed.

    That’s NOT the way it should work, but that’s how many of the businesses out there run. They are/were riding the gravy train until they get “caught” and then when an incident happens, they say it happens to everyone, and where is my insurnace claim ?

    I think its meant to be vauge so it can cover a lot of areas without being too specific. I think it gets more votes quicker and with less room for specifying a targeted corporation or business type – it keeps the donations/contributions coming in…….

    Hopefully the states will add their two cents onto this and make the procedures a little more strict. Outside audits and vulnerability assessments should be mandatory after a breach is declared. A mandatory watch list for anyone that says they are clear and get breached again within five years, with yearly audits and vulnerability assessments for another five years.

    1. Dissent says:
      January 22, 2016 at 8:24 am

      The problem with the entity determining the risk of harm is an old one, and yes, I prefer HITECH’s presumption of a reportable breach unless the entity can prove/demonstrate no risk. Hopefully that, too, will be addressed during consideration of the bill.

Comments are closed.

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • National Health Care Fraud Takedown Results in 324 Defendants Charged in Connection with Over $14.6 Billion in Alleged Fraud
  • Swiss Health Foundation Radix Hit by Cyberattack Affecting Federal Data
  • Russian hackers get 7 and 5 years in prison for large-scale cyber attacks with ransomware, over 60 million euros in bitcoins seized
  • Bolton Walk-In Clinic patient data leak locked down (finally!)
  • 50 Customers of French Bank Hit by Insider SIM Swap Scam
  • Ontario health agency atHome ordered to inform 200,000 patients of March data breach
  • Fact-Checking Claims By Cybernews: The 16 Billion Record Data Breach That Wasn’t
  • Horizon Healthcare RCM discloses ransomware attack in December
  • Disgruntled IT Worker Jailed for Cyber Attack, Huddersfield
  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • The Trump administration is building a national citizenship data system
  • Supreme Court Decision on Age Verification Tramples Free Speech and Undermines Privacy
  • New Jersey Issues Draft Privacy Regulations: The New
  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report
  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.