Ask Reggi Your Question Now
Can I avoid having a data breach response plan in Georgia? What are the requirements?
Data Breach Response Plan Requirements in Georgia
To answer your question, no, you cannot avoid having a data breach response plan in Georgia. Georgia law requires that all businesses and organizations that collect personal information of Georgia residents develop and implement a data breach response plan [3.1].
The Georgia Data Analytic Center (GDAC) was established to securely receive, maintain, and transmit data in accordance with Georgia law and HIPAA privacy and security standards [2.1]. The GDAC Project seeks to receive and maintain individually identifiable data but transmit de-identified data wherever possible. The GDAC Project shall only receive, maintain, and transmit individually identifiable information if permitted by Georgia law and if the information is in a form and format that are secured to prevent disclosure of individually identifiable information [2.1].
The Georgia Office of Planning and Budget (OPB) is responsible for overseeing the operation of the GDAC Project and ensuring that the GDAC Project receives, maintains, and transmits data only as permitted by Georgia law and as approved by the OPB and the state agency or department whose data are requested [2.3].
In the event of a breach of a telephone record concerning a Georgia resident, the telecommunications company must provide notice to the Georgia resident immediately following discovery or notification of the breach if such breach is reasonably likely to cause quantifiable harm to the Georgia resident. The notice must be made in the most expedient manner possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach and restore the reasonable integrity, security, and confidentiality of the telephone record [3.1].
Therefore, it is mandatory for all businesses and organizations that collect personal information of Georgia residents to develop and implement a data breach response plan.
Source(s):
- [2.1] Capabilities and operation of Georgia Data Analytic Center; procurement of technology and services; disclosure of individual identifiable data.
- [3.1] Action in event of telephone record security breach; notification to Georgia residents; law enforcement exception; violations shall be unfair or deceptive practice in consumer transactions.
- [2.3] Oversight.
Jurisdiction
Georgia, Georgia