DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Ga. Senator Proposes Bill On Public Data Breach Investigations

Posted on January 21, 2016 by Dissent

Johnny Kauffman reports:

A bill filed in the Georgia Legislature by Sen. John Albers (R–Roswell) would mandate companies and state agencies provide details to the attorney general and the governor’s office and give authority to the attorney general’s office to conduct an investigation.

The Republican’s bill (SB 276) is called the “Georgia Personal Data Security Act,” and it would make significant changes to legislation passed in 2005 regarding identity theft.

Read more on WABE.

I’m not sure why the Governor’s office would need to be notified if the state attorney general is notified. A number of states already require notification to the state’s attorney general and state attorneys general already investigate breaches in a number of states, so this bill might bring Georgia more in line with other states.

The bill text reads pretty well as far as these types of bills go, until I got to this part:

Notwithstanding subsection (a) of this Code section, notice to individuals whose personal information has been accessed is not required if, after an appropriate investigation and consultation with relevant federal, state, or local law enforcement agencies, the covered entity reasonably determines that a breach of the security of the system has not and will not likely result in identity theft or any other financial harm to such individuals. Such a determination must be documented in writing and maintained for at least five years. The covered entity shall provide the written determination to the Attorney General within 30 days after the determination not to notify has been made.

So a breach that could cause significant social or emotional harm doesn’t have to be disclosed as long as it’s unlikely to result in identity theft or financial harm? That’s not good, and I hope someone will suggest this be amended, particularly since the bill does note that student information, including disciplinary records, are considered personal information for purposes of the proposed law. The bill also covers non-profits, which is good. But now realize that there’s more to harm than just identity theft and financial harm, and require notification where other kinds of harms are foreseeable.

And while the bill means well, I fear this part may set too low or vague a standard:

Each covered entity shall maintain reasonable safeguards to protect and secure personal information.

Overall, though, I am glad to see this bill proposed and hope that with proper tweaks, it passes.

Category: Breach LawsLegislationState/Local

Post navigation

← ‘Dance Moms’ season 6 cast members hacked again
Alleged Scotiabank privacy breach leads to class action →

2 thoughts on “Ga. Senator Proposes Bill On Public Data Breach Investigations”

  1. IA Eng says:
    January 22, 2016 at 6:35 am

    What I don’t like about it is;
    “the covered entity reasonably determines that a breach of the security of the system has not and will not likely result in identity theft or any other financial harm to such individuals. Such a determination must be documented in writing and maintained for at least five years.”

    Does this mean the “covered entity” determines if it has been breached? Let’s say I have a business. An outsider reports to me that they think I’ve been breached. I ask my internal staff to look over the claim and report back to me. If they don’t find anything immmediately, I contact and submit my documentation in writing to the authorities and consider the case closed.

    That’s NOT the way it should work, but that’s how many of the businesses out there run. They are/were riding the gravy train until they get “caught” and then when an incident happens, they say it happens to everyone, and where is my insurnace claim ?

    I think its meant to be vauge so it can cover a lot of areas without being too specific. I think it gets more votes quicker and with less room for specifying a targeted corporation or business type – it keeps the donations/contributions coming in…….

    Hopefully the states will add their two cents onto this and make the procedures a little more strict. Outside audits and vulnerability assessments should be mandatory after a breach is declared. A mandatory watch list for anyone that says they are clear and get breached again within five years, with yearly audits and vulnerability assessments for another five years.

    1. Dissent says:
      January 22, 2016 at 8:24 am

      The problem with the entity determining the risk of harm is an old one, and yes, I prefer HITECH’s presumption of a reportable breach unless the entity can prove/demonstrate no risk. Hopefully that, too, will be addressed during consideration of the bill.

Comments are closed.

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Trump Rewrites Cybersecurity Policy in Executive Order
  • AMI Group – Travel & Tours notice of ransomware attack
  • Resource: Insider Threat reports
  • Za: Cyber extortionist sentenced to eight years in jail
  • ICE takes steps to deport the Australian hacker known as “DR32”
  • Hearing on the Federal Government and AI
  • Nigerian National Sentenced To More Than Five Years For Hacking, Fraud, And Identity Theft Scheme
  • Data breach of patient info ends in firing of Miami hospital employee
  • Texas DOT investigates breach of crash report records, sends notification letters
  • PowerSchool hacker pleads guilty, released on personal recognizance bond

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • The Decision That Murdered Privacy
  • Hearing on the Federal Government and AI
  • California county accused of using drones to spy on residents
  • How the FBI Sought a Warrant to Search Instagram of Columbia Student Protesters
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Malaysia enacts data sharing rules for public sector
  • U.S. Enacts Take It Down Act

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.