Can I ignore my obligations as a service provider with access to personal information in Georgia? What are the requirements?

Based on the context documents, as a service provider with access to personal information in Georgia, you cannot ignore your obligations. Georgia law imposes several requirements on service providers with access to personal information.

Requirements for Service Providers with Access to Personal Information in Georgia

Under GARR Rule 80-14-1-.05, if a licensee provides notice under applicable federal or state law of an information security incident involving unauthorized access to personal information, then the licensee shall simultaneously provide a duplicate of such disclosure to the Department. For purposes of this rule, personal information is any record containing nonpublic personal information about a customer or potential customer whether in paper, electronic, or other form maintained by or on behalf of the licensee.

Under GACO 33-39-9, if any individual, after proper identification, submits a written request to an insurance institution, agent, or insurance-support organization for access to recorded personal information about the individual which is reasonably described by the individual and reasonably locatable and retrievable by the insurance institution, agent, or insurance-support organization, the insurance institution, agent, or insurance-support organization shall within 30 business days from the date such request is received:

• Inform the individual of the nature and substance of such recorded personal information in writing, by telephone, or by other oral communication, whichever the insurance institution, agent, or insurance-support organization prefers;
• Permit the individual to see and copy, in person, such recorded personal information pertaining to him or her or to obtain a copy of such recorded personal information by mail, whichever the individual prefers, unless such recorded personal information is in coded form, in which case an accurate translation in plain language shall be provided in writing;
• Disclose to the individual the identity, if recorded, of those persons to whom the insurance institution, agent, or insurance-support organization has disclosed such personal information within two years prior to such request and, if the identity is not recorded, the names of those insurance institutions, agents, insurance-support organizations, or other persons to whom such information is normally disclosed; and
• Provide the individual with a summary of the procedures by which he or she may request correction, amendment, or deletion of recorded personal information.

Under GACO 33-39-14, an insurance institution, agent, or insurance-support organization shall not disclose any personal or privileged information about an individual collected or received in connection with an insurance transaction unless the disclosure is:

• With the written authorization of the individual, provided:
• If such authorization is submitted by another insurance institution, agent, or insurance-support organization, the authorization meets the requirement of Code Section 33-39-7; or
• If such authorization is submitted by a person other than an insurance institution, agent, or insurance-support organization, the authorization is:
  • Dated;
  • Signed by the individual; and
  • Obtained one year or less prior to the date a disclosure is sought pursuant to this subsection; or
• To a person other than an insurance institution, agent, or insurance-support organization, provided such disclosure is reasonably necessary:
• To enable such person to perform a business, professional, or insurance function for the disclosing insurance institution, agent, or insurance-support organization and such person agrees not to disclose the information further without the individual’s written authorization unless the further disclosure:
  • Would otherwise be permitted by this Code section if made by an insurance institution, agent, or insurance-support organization; or
  • Is reasonably necessary for such person to perform its function for the disclosing insurance institution, agent, or insurance-support organization; or
• To enable such person to provide information to the disclosing insurance institution, agent, or insurance-support organization for the purpose of:
  • Determining an individual’s eligibility for an insurance benefit or payment; or
  • Detecting or preventing criminal activity, fraud, material misrepresentation, or material nondisclosure in connection with an insurance transaction; or
• To an insurance institution, agent, insurance-support organization, or self-insurer, provided the information disclosed is limited to that which is reasonably necessary:
• To detect or prevent criminal activity, fraud, material misrepresentation, or material nondisclosure in connection with insurance transactions; or
• For either the disclosing or receiving insurance institution, agent, or insurance-support organization to perform its function in connection with an insurance transaction involving the individual; or
• To a medical-care institution or medical professional for the purpose of:
• Verifying insurance coverage or benefits;
• Informing an individual of a medical problem of which the individual may not be aware; or
• Conducting an operations or services audit; provided only such information is disclosed as is reasonably necessary to accomplish the foregoing purposes; or
• To an insurance regulatory authority; or
• Otherwise permitted or required by law.

Under GACO 16-9-109, any law enforcement unit, the Attorney General, or any district attorney who is conducting an investigation of a violation of this article or an investigation of a violation of Code Section 16-12-100, 16-12-100.1, 16-12-100.2, 16-5-90, or 16-11-221, Article 8 of Chapter 5 of this title, or Article 8 of this chapter involving the use of a computer, cellular telephone, or any other electronic device used in furtherance of the act may require the disclosure by a provider of electronic communication service or remote computing service of the contents of a wire or electronic communication that is in electronic storage in an electronic communications system for 180 days or less pursuant to a search warrant issued under the provisions of Article 2 of Chapter 5 of Title 17 by a court with jurisdiction over the offense under investigation.

Under GACO 10-1-912, any information broker or data collector that maintains computerized data that includes personal information of individuals shall give notice of any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of this state whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The notice shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subsection (c) of this Code section, or with any measures necessary to determine the scope of the breach and restore the reasonable integrity, security, and confidentiality of the data system.

Under GACO 46-5-214, in the event of a breach of a telephone record concerning a Georgia resident, the telecommunications company must provide notice to the Georgia resident immediately following discovery or notification of the breach if such breach is reasonably likely to cause quantifiable harm to the Georgia resident.

Conclusion

Based on the above requirements, as a service provider with access to personal information in Georgia, you cannot ignore your obligations. You must comply with the requirements imposed by Georgia law.

Jurisdiction

Georgia, Georgia

• Privacy