skip to main content
Experience List
  • Email Page
  • Create PDF
  • Print Page
Georgia Data Breach Statute


Ga. Code Ann. §§ 10-1-910 to -912 

To print or save this summary, click here.


Quick Facts

Breach Based on
Harm Threshold

Deadline for
Consumer Notice

Notification Required


Most expedient time possible and without
unreasonable delay



More Details

Scope of this Summary Notification requirements applicable to “data collectors” (meaning certain state or local governmental agencies), “information brokers” (meaning persons or commercial entities who engage in whole or in part in the business of collecting, evaluating, transmitting, or otherwise communicating information concerning individuals for the primary purpose of furnishing personal information to nonaffiliated third parties), and persons maintaining covered info on their behalf.
Covered Info First name or first initial and last name, plus: Social Security number; driver's license or state identification card number; account, credit or debit card number, if it can be used without additional identifying info, access codes or passwords; account passwords, PINs or other access codes; or any of the previous data elements when not connected with the first name or first initial and last name if information compromised is sufficient to perform or attempt identity theft.
Form of Covered Info Electronic Only
Encryption Safe Harbor Statute does not apply to information that is encrypted or redacted.
Breach Defined Unauthorized acquisition that compromises the security, confidentiality, or integrity of the covered info, excluding certain good-faith access by employees or agents.
Consumer Notice Timing: Must be made in the most expedient time possible and without unreasonable delay consistent with any measures necessary to determine the scope of the breach and restore the reasonable integrity, security, and confidentiality of the system.

Method: By written notice, telephonic notice, or electronic notice if it is consistent with E-SIGN. Substitute notice is available if certain criteria are satisfied.
Delayed Notice The notification may be delayed if a law enforcement agency determines that the notification will compromise a criminal investigation. The notification must be made after the law enforcement agency determines that it will not compromise the investigation.
Consumer Agency Notice If more than 10,000 residents notified, must notify all nationwide CRAs without unreasonable delay of timing, distribution and content of the consumer notice.
Third-Party Notice If you maintain covered info on behalf of an information broker or data collector, you must notify them within 24 hours following discovery of a breach, if the covered information was, or is reasonably believed to have been, accessed without authorization.
Potential Penalties Violations may result in civil penalties.


To print or save this summary, click here.

This summary is for informational purposes only. It provides general information and not legal advice or opinions regarding specific facts. Additional requirements or conditions may apply to any or all provisions referenced herein. For more information about the state data breach notification laws or other data security matters, please seek the advice of counsel.

Last revised on March 26, 2018