Can I store personal information about my customers in Georgia? What are the requirements?

Storing Personal Information of Customers in Georgia

Yes, you can store personal information about your customers in Georgia, but you must comply with certain requirements.

GARR Rule 80-14-1-.06, GARR Rule 80-11-1-.08, GARR Rule 80-3-1-.05, GARR Rule 80-4-1-.09

All licensees must create and maintain an information security program to safeguard the nonpublic personal information of customers to the extent required by 16 C.F.R. Part 314 (the “Safeguards Rule”). As part of its regulatory oversight, the Department shall review, to the extent applicable, licensee’s information security programs, risk assessments, incident response plans, and other required elements of the Safeguards Rule ^{[1.2][2.2][3.2][4.2]}.

GARR Rule 80-14-1-.05, GACO 46-5-214

In the event that a licensee provides notice under applicable federal or state law of an information security incident involving unauthorized access to personal information, then the licensee shall simultaneously provide a duplicate of such disclosure to the Department. For purposes of this rule, personal information is any record containing nonpublic personal information about a customer or potential customer whether in paper, electronic, or other form maintained by or on behalf of the licensee ^{[1.1][2.1][3.1][4.1]}.

If there is a breach of a telephone record concerning a Georgia resident, the telecommunications company must provide notice to the Georgia resident immediately following discovery or notification of the breach if such breach is reasonably likely to cause quantifiable harm to the Georgia resident. The notice must be made in the most expedient manner possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach and restore the reasonable integrity, security, and confidentiality of the telephone record ^[5.1].

Therefore, you can store personal information about your customers in Georgia, but you must create and maintain an information security program to safeguard the nonpublic personal information of customers to the extent required by 16 C.F.R. Part 314. Additionally, if there is a breach of personal information, you must provide notice to the Department and the affected Georgia residents.

Source(s):

• [1.1] Notice of Unauthorized Access to Personal Information
• [2.1] Notice of Unauthorized Access to Personal Information
• [3.1] Notice of Unauthorized Access to Personal Information
• [4.1] Notice of Unauthorized Access to Personal Information
• [1.2] Information Security Safeguards for Consumer Financial Information
• [2.2] Information Security Safeguards for Consumer Financial Information
• [3.2] Information Security Safeguards for Consumer Financial Information
• [4.2] Information Security Safeguards for Consumer Financial Information
• [5.1] Action in event of telephone record security breach; notification to Georgia residents; law enforcement exception; violations shall be unfair or deceptive practice in consumer transactions.

Jurisdiction

Georgia, Georgia

• Privacy