Johnny Kauffman reports:
A bill filed in the Georgia Legislature by Sen. John Albers (R–Roswell) would mandate companies and state agencies provide details to the attorney general and the governor’s office and give authority to the attorney general’s office to conduct an investigation.
The Republican’s bill (SB 276) is called the “Georgia Personal Data Security Act,” and it would make significant changes to legislation passed in 2005 regarding identity theft.
Read more on WABE.
I’m not sure why the Governor’s office would need to be notified if the state attorney general is notified. A number of states already require notification to the state’s attorney general and state attorneys general already investigate breaches in a number of states, so this bill might bring Georgia more in line with other states.
The bill text reads pretty well as far as these types of bills go, until I got to this part:
Notwithstanding subsection (a) of this Code section, notice to individuals whose personal information has been accessed is not required if, after an appropriate investigation and consultation with relevant federal, state, or local law enforcement agencies, the covered entity reasonably determines that a breach of the security of the system has not and will not likely result in identity theft or any other financial harm to such individuals. Such a determination must be documented in writing and maintained for at least five years. The covered entity shall provide the written determination to the Attorney General within 30 days after the determination not to notify has been made.
So a breach that could cause significant social or emotional harm doesn’t have to be disclosed as long as it’s unlikely to result in identity theft or financial harm? That’s not good, and I hope someone will suggest this be amended, particularly since the bill does note that student information, including disciplinary records, are considered personal information for purposes of the proposed law. The bill also covers non-profits, which is good. But now realize that there’s more to harm than just identity theft and financial harm, and require notification where other kinds of harms are foreseeable.
And while the bill means well, I fear this part may set too low or vague a standard:
Each covered entity shall maintain reasonable safeguards to protect and secure personal information.
Overall, though, I am glad to see this bill proposed and hope that with proper tweaks, it passes.
What I don’t like about it is;
“the covered entity reasonably determines that a breach of the security of the system has not and will not likely result in identity theft or any other financial harm to such individuals. Such a determination must be documented in writing and maintained for at least five years.”
Does this mean the “covered entity” determines if it has been breached? Let’s say I have a business. An outsider reports to me that they think I’ve been breached. I ask my internal staff to look over the claim and report back to me. If they don’t find anything immmediately, I contact and submit my documentation in writing to the authorities and consider the case closed.
That’s NOT the way it should work, but that’s how many of the businesses out there run. They are/were riding the gravy train until they get “caught” and then when an incident happens, they say it happens to everyone, and where is my insurnace claim ?
I think its meant to be vauge so it can cover a lot of areas without being too specific. I think it gets more votes quicker and with less room for specifying a targeted corporation or business type – it keeps the donations/contributions coming in…….
Hopefully the states will add their two cents onto this and make the procedures a little more strict. Outside audits and vulnerability assessments should be mandatory after a breach is declared. A mandatory watch list for anyone that says they are clear and get breached again within five years, with yearly audits and vulnerability assessments for another five years.
The problem with the entity determining the risk of harm is an old one, and yes, I prefer HITECH’s presumption of a reportable breach unless the entity can prove/demonstrate no risk. Hopefully that, too, will be addressed during consideration of the bill.