Georgia Personal Identity Protection Act. (OCGA § 10-1-910)
07 SB236/AP
236
- 1 -
Senate Bill 236
By: Senators Rogers of the 21st, Hudgens of the 47th, Thompson of the 33rd, Goggans of
the 7th, Hawkins of the 49th and others
AS PASSED
A BILL TO BE ENTITLED
AN ACT
1 To amend Article 34 of Chapter 1 of Title 10 of the Official Code of Georgia Annotated,
2 relating to identity theft, so as to provide for definitions; to provide for notification by certain
3 data collectors upon a breach of security regarding personal information; to amend Article
4 8 of Chapter 9 of Title 16 of the Official Code of Georgia Annotated, relating to the offense
5 of identity fraud, so as to change certain provisions relating to the elements of the offense of
6 identity fraud; to create the offense of identity fraud by receipt of fraudulent identification
7 information; to provide for a victim´s right to file a report with a law enforcement agency;
8 to provide a short title; to modify certain penalties; to provide for related matters; to provide
9 an effective date; to repeal conflicting laws; and for other purposes.
10 BE IT ENACTED BY THE GENERAL ASSEMBLY OF GEORGIA:
11 SECTION 1.
12 This Act shall be known and may be cited as the "Georgia Personal Identity Protection Act."
13 SECTION 2.
14 Article 34 of Chapter 1 of Title 10 of the Official Code of Georgia Annotated, relating to
15 identity theft, is amended by revising Code Section 10-1-911, relating to definitions, as
16 follows:
17 "10-1-911.
18 As used in this article, the term:
19 (1) 'Breach of the security of the system' means unauthorized acquisition of an
20 individual´s computerized electronic data that compromises the security, confidentiality,
21 or integrity of personal information of such individual maintained by an information
22 broker or data collector. Good faith acquisition or use of personal information by an
23 employee or agent of an information broker or data collector for the purposes of such
24 information broker or data collector is not a breach of the security of the system, provided
25 that the personal information is not used or subject to further unauthorized disclosure.
07 SB236/AP
236
- 2 -
1 (2) 'Data collector' means any state or local agency or subdivision thereof including any
2 department, bureau, authority, public university or college, academy, commission, or
3 other government entity; provided, however, that the term 'data collector' shall not
4 include any governmental agency whose records are maintained primarily for traffic
5 safety, law enforcement, or licensing purposes or for purposes of providing public access
6 to court records or to real or personal property information.
7 (2)(3) 'Information broker' means any person or entity who, for monetary fees or dues,
8 engages in whole or in part in the business of collecting, assembling, evaluating,
9 compiling, reporting, transmitting, transferring, or communicating information
10 concerning individuals for the primary purpose of furnishing personal information to
11 nonaffiliated third parties, but does not include any governmental agency whose records
12 are maintained primarily for traffic safety, law enforcement, or licensing purposes.
13 (3)(4) 'Notice' means:
14 (A) Written notice;
15 (B) Telephone notice;
16 (C) Electronic notice, if the notice provided is consistent with the provisions regarding
17 electronic records and signatures set forth in Section 7001 of Title 15 of the United
18 States Code; or
19 (C)(D) Substitute notice, if the information broker or data collector demonstrates that
20 the cost of providing notice would exceed $250,000.00 $50,000.00, that the affected
21 class of individuals to be notified exceeds 500,000 100,000, or that the information
22 broker or data collector does not have sufficient contact information to provide written
23 or electronic notice to such individuals. Substitute notice shall consist of all of the
24 following:
25 (i) E-mail notice, if the information broker or data collector has an e-mail address for
26 the individuals to be notified;
27 (ii) Conspicuous posting of the notice on the information broker´s or data collector´s
28 website page, if the information broker or data collector maintains one; and
29 (iii) Notification to major state-wide media.
30 Notwithstanding any provision of this paragraph to the contrary, an information broker
31 or data collector that maintains its own notification procedures as part of an information
32 security policy for the treatment of personal information and is otherwise consistent with
33 the timing requirements of this article shall be deemed to be in compliance with the
34 notification requirements of this article if it notifies the individuals who are the subjects
35 of the notice in accordance with its policies in the event of a breach of the security of the
36 system.
07 SB236/AP
236
- 3 -
1 (4)(5) 'Person' means any individual, partnership, corporation, limited liability company,
2 trust, estate, cooperative, association, or other entity. The term 'person' as used in this
3 article shall not be construed to require duplicative reporting by any individual,
4 corporation, trust, estate, cooperative, association, or other entity involved in the same
5 transaction.
6 (5)(6) 'Personal information' means an individual´s first name or first initial and last
7 name in combination with any one or more of the following data elements, when either
8 the name or the data elements are not encrypted or redacted:
9 (A) Social security number;
10 (B) Driver´s license number or state identification card number;
11 (C) Account number, credit card number, or debit card number, if circumstances exist
12 wherein such a number could be used without additional identifying information, access
13 codes, or passwords;
14 (D) Account passwords or personal identification numbers or other access codes; or
15 (E) Any of the items contained in subparagraphs (A) through (D) of this paragraph
16 when not in connection with the individual´s first name or first initial and last name, if
17 the information compromised would be sufficient to perform or attempt to perform
18 identity theft against the person whose information was compromised.
19 The term 'personal information' does not include publicly available information that is
20 lawfully made available to the general public from federal, state, or local government
21 records."
22 SECTION 3.
23 Said article is further amended by revising Code Section 10-1-912, relating to notification
24 required upon breach of security regarding personal information, as follows:
25 "10-1-912.
26 (a) Any information broker or data collector that maintains computerized data that includes
27 personal information of individuals shall give notice of any breach of the security of the
28 system following discovery or notification of the breach in the security of the data to any
29 resident of this state whose unencrypted personal information was, or is reasonably
30 believed to have been, acquired by an unauthorized person. The notice shall be made in
31 the most expedient time possible and without unreasonable delay, consistent with the
32 legitimate needs of law enforcement, as provided in subsection (c) of this Code section, or
33 with any measures necessary to determine the scope of the breach and restore the
34 reasonable integrity, security, and confidentiality of the data system.
35 (b) Any person or business that maintains computerized data on behalf of an information
36 broker or data collector that includes personal information of individuals that the person
07 SB236/AP
236
- 4 -
1 or business does not own shall notify the information broker or data collector of any breach
2 of the security of the data immediately system within 24 hours following discovery, if the
3 personal information was, or is reasonably believed to have been, acquired by an
4 unauthorized person.
5 (c) The notification required by this Code section may be delayed if a law enforcement
6 agency determines that the notification will compromise a criminal investigation. The
7 notification required by this Code section shall be made after the law enforcement agency
8 determines that it will not compromise the investigation.
9 (d) In the event that an information broker or data collector discovers circumstances
10 requiring notification pursuant to this Code section of more than 10,000 residents of this
11 state at one time, the information broker or data collector shall also notify, without
12 unreasonable delay, all consumer reporting agencies that compile and maintain files on
13 consumers on a nation-wide basis, as defined by 15 U.S.C. Section 1681a, of the timing,
14 distribution, and content of the notices."
15 SECTION 4.
16 Article 8 of Chapter 9 of Title 16 of the Official Code of Georgia Annotated, relating to the
17 offense of identity fraud, is amended by revising Code Section 16-9-121, relating to the
18 elements of the offense, as follows:
19 "16-9-121.
20 (a) A person commits the offense of identity fraud when without the authorization or
21 permission of a person with the intent unlawfully to appropriate resources of or cause
22 physical harm to that person, or of any other person, to his or her own use or to the use of
23 a third party he or she willfully and fraudulently:
24 (1) Obtains or records identifying information of a person which would assist in
25 accessing the resources of that person or any other person; or
26 (2) Accesses or attempts to access the resources of a person through the use of
27 identifying information.
28 (1) Without authorization or consent, uses or possesses with intent to fraudulently use,
29 identifying information concerning an individual;
30 (2) Uses identifying information of an individual under 18 years old over whom he or
31 she exercises custodial authority;
32 (3) Uses or possesses with intent to fraudulently use, identifying information concerning
33 a deceased individual;
34 (4) Creates, uses, or possesses with intent to fraudulently use, any counterfeit or fictitious
35 identifying information concerning a fictitious individual with intent to use such
07 SB236/AP
236
- 5 -
1 counterfeit or fictitious identification information for the purpose of committing or
2 facilitating the commission of a crime or fraud on another person; or
3 (5) Without authorization or consent, creates, uses, or possesses with intent to
4 fraudulently use, any counterfeit or fictitious identifying information concerning a real
5 individual with intent to use such counterfeit or fictitious identification information for
6 the purpose of committing or facilitating the commission of a crime or fraud on another
7 person.
8 (b) A person commits the offense of identity fraud by receipt of fraudulent identification
9 information when he or she willingly accepts for identification purposes identifying
10 information which he or she knows to be fraudulent, stolen, counterfeit, or fictitious. In
11 any prosecution under this subsection it shall not be necessary to show a conviction of the
12 principal thief, counterfeiter, or fraudulent user.
13 (c) The offenses created by this Code section shall not merge with any other offense.
14 (d) This Code section shall not apply to a person under the age of 21 who uses a
15 fraudulent, counterfeit, or other false identification card for the purpose of obtaining entry
16 into a business establishment or for purchasing items which he or she is not of legal age to
17 purchase."
18 SECTION 5.
19 Said article is further amended by adding a new Code section as follows:
20 "16-9-125.1.
21 (a) A person who has learned or reasonably believes that he or she has been the victim of
22 identity fraud may contact the local law enforcement agency with jurisdiction over his or
23 her actual residence for the purpose of making an incident report. The law enforcement
24 agency having jurisdiction over the complainant´s residence shall make a report of the
25 complaint and provide the complainant with a copy of the report. Where jurisdiction for
26 the investigation and prosecution of the complaint lies with another agency, the law
27 enforcement agency making the report shall forward a copy to the agency having such
28 jurisdiction and shall advise the complainant that the report has been so forwarded.
29 (b) Nothing in this Code section shall be construed so as to interfere with the discretion
30 of a law enforcement agency to allocate resources for the investigation of crimes. A report
31 created pursuant to this Code section is not required to be counted as an open case file."
32 SECTION 6.
33 Said article is further amended by revising Code Section 16-9-126, relating to penalties for
34 violations, as follows:
07 SB236/AP
236
- 6 -
1 "16-9-126.
2 (a) A violation of this article, other than a violation of Code Section 16-9-122, shall be
3 punishable by imprisonment for not less than one nor more than ten years or a fine not to
4 exceed $100,000.00, or both. Any person who commits such a violation for the second or
5 any subsequent offense shall be punished by imprisonment for not less than three nor more
6 than 15 years, a fine not to exceed $250,000.00, or both.
7 (b) A violation of this article which does not involve the intent to commit theft or
8 appropriation of any property, resource or other thing of value that is committed by a
9 person who is less than 21 years of age, shall be punishable by imprisonment for not less
10 than one nor more than three years or a fine not to exceed $ 5,000.00, or both.
11 (b)(c) Any person found guilty of a violation of this article may be ordered by the court
12 to make restitution to any consumer victim or any business victim of such fraud.
13 (c)(d) Each violation of this article shall constitute a separate offense.
14 (d)(e) Upon a conviction of a violation of this article, the court may issue any order
15 necessary to correct a public record that contains false information resulting from the
16 actions which resulted in the conviction."
17 SECTION 7.
18 This Act shall become effective upon its approval by the Governor or upon its becoming law
19 without such approval and Section 4 shall apply to all offenses occurring on or after such
20 date.
21 SECTION 8.
22 All laws and parts of laws in conflict with this Act are repealed.
236
- 1 -
Senate Bill 236
By: Senators Rogers of the 21st, Hudgens of the 47th, Thompson of the 33rd, Goggans of
the 7th, Hawkins of the 49th and others
AS PASSED
A BILL TO BE ENTITLED
AN ACT
1 To amend Article 34 of Chapter 1 of Title 10 of the Official Code of Georgia Annotated,
2 relating to identity theft, so as to provide for definitions; to provide for notification by certain
3 data collectors upon a breach of security regarding personal information; to amend Article
4 8 of Chapter 9 of Title 16 of the Official Code of Georgia Annotated, relating to the offense
5 of identity fraud, so as to change certain provisions relating to the elements of the offense of
6 identity fraud; to create the offense of identity fraud by receipt of fraudulent identification
7 information; to provide for a victim´s right to file a report with a law enforcement agency;
8 to provide a short title; to modify certain penalties; to provide for related matters; to provide
9 an effective date; to repeal conflicting laws; and for other purposes.
10 BE IT ENACTED BY THE GENERAL ASSEMBLY OF GEORGIA:
11 SECTION 1.
12 This Act shall be known and may be cited as the "Georgia Personal Identity Protection Act."
13 SECTION 2.
14 Article 34 of Chapter 1 of Title 10 of the Official Code of Georgia Annotated, relating to
15 identity theft, is amended by revising Code Section 10-1-911, relating to definitions, as
16 follows:
17 "10-1-911.
18 As used in this article, the term:
19 (1) 'Breach of the security of the system' means unauthorized acquisition of an
20 individual´s computerized electronic data that compromises the security, confidentiality,
21 or integrity of personal information of such individual maintained by an information
22 broker or data collector. Good faith acquisition or use of personal information by an
23 employee or agent of an information broker or data collector for the purposes of such
24 information broker or data collector is not a breach of the security of the system, provided
25 that the personal information is not used or subject to further unauthorized disclosure.
07 SB236/AP
236
- 2 -
1 (2) 'Data collector' means any state or local agency or subdivision thereof including any
2 department, bureau, authority, public university or college, academy, commission, or
3 other government entity; provided, however, that the term 'data collector' shall not
4 include any governmental agency whose records are maintained primarily for traffic
5 safety, law enforcement, or licensing purposes or for purposes of providing public access
6 to court records or to real or personal property information.
7 (2)(3) 'Information broker' means any person or entity who, for monetary fees or dues,
8 engages in whole or in part in the business of collecting, assembling, evaluating,
9 compiling, reporting, transmitting, transferring, or communicating information
10 concerning individuals for the primary purpose of furnishing personal information to
11 nonaffiliated third parties, but does not include any governmental agency whose records
12 are maintained primarily for traffic safety, law enforcement, or licensing purposes.
13 (3)(4) 'Notice' means:
14 (A) Written notice;
15 (B) Telephone notice;
16 (C) Electronic notice, if the notice provided is consistent with the provisions regarding
17 electronic records and signatures set forth in Section 7001 of Title 15 of the United
18 States Code; or
19 (C)(D) Substitute notice, if the information broker or data collector demonstrates that
20 the cost of providing notice would exceed $250,000.00 $50,000.00, that the affected
21 class of individuals to be notified exceeds 500,000 100,000, or that the information
22 broker or data collector does not have sufficient contact information to provide written
23 or electronic notice to such individuals. Substitute notice shall consist of all of the
24 following:
25 (i) E-mail notice, if the information broker or data collector has an e-mail address for
26 the individuals to be notified;
27 (ii) Conspicuous posting of the notice on the information broker´s or data collector´s
28 website page, if the information broker or data collector maintains one; and
29 (iii) Notification to major state-wide media.
30 Notwithstanding any provision of this paragraph to the contrary, an information broker
31 or data collector that maintains its own notification procedures as part of an information
32 security policy for the treatment of personal information and is otherwise consistent with
33 the timing requirements of this article shall be deemed to be in compliance with the
34 notification requirements of this article if it notifies the individuals who are the subjects
35 of the notice in accordance with its policies in the event of a breach of the security of the
36 system.
07 SB236/AP
236
- 3 -
1 (4)(5) 'Person' means any individual, partnership, corporation, limited liability company,
2 trust, estate, cooperative, association, or other entity. The term 'person' as used in this
3 article shall not be construed to require duplicative reporting by any individual,
4 corporation, trust, estate, cooperative, association, or other entity involved in the same
5 transaction.
6 (5)(6) 'Personal information' means an individual´s first name or first initial and last
7 name in combination with any one or more of the following data elements, when either
8 the name or the data elements are not encrypted or redacted:
9 (A) Social security number;
10 (B) Driver´s license number or state identification card number;
11 (C) Account number, credit card number, or debit card number, if circumstances exist
12 wherein such a number could be used without additional identifying information, access
13 codes, or passwords;
14 (D) Account passwords or personal identification numbers or other access codes; or
15 (E) Any of the items contained in subparagraphs (A) through (D) of this paragraph
16 when not in connection with the individual´s first name or first initial and last name, if
17 the information compromised would be sufficient to perform or attempt to perform
18 identity theft against the person whose information was compromised.
19 The term 'personal information' does not include publicly available information that is
20 lawfully made available to the general public from federal, state, or local government
21 records."
22 SECTION 3.
23 Said article is further amended by revising Code Section 10-1-912, relating to notification
24 required upon breach of security regarding personal information, as follows:
25 "10-1-912.
26 (a) Any information broker or data collector that maintains computerized data that includes
27 personal information of individuals shall give notice of any breach of the security of the
28 system following discovery or notification of the breach in the security of the data to any
29 resident of this state whose unencrypted personal information was, or is reasonably
30 believed to have been, acquired by an unauthorized person. The notice shall be made in
31 the most expedient time possible and without unreasonable delay, consistent with the
32 legitimate needs of law enforcement, as provided in subsection (c) of this Code section, or
33 with any measures necessary to determine the scope of the breach and restore the
34 reasonable integrity, security, and confidentiality of the data system.
35 (b) Any person or business that maintains computerized data on behalf of an information
36 broker or data collector that includes personal information of individuals that the person
07 SB236/AP
236
- 4 -
1 or business does not own shall notify the information broker or data collector of any breach
2 of the security of the data immediately system within 24 hours following discovery, if the
3 personal information was, or is reasonably believed to have been, acquired by an
4 unauthorized person.
5 (c) The notification required by this Code section may be delayed if a law enforcement
6 agency determines that the notification will compromise a criminal investigation. The
7 notification required by this Code section shall be made after the law enforcement agency
8 determines that it will not compromise the investigation.
9 (d) In the event that an information broker or data collector discovers circumstances
10 requiring notification pursuant to this Code section of more than 10,000 residents of this
11 state at one time, the information broker or data collector shall also notify, without
12 unreasonable delay, all consumer reporting agencies that compile and maintain files on
13 consumers on a nation-wide basis, as defined by 15 U.S.C. Section 1681a, of the timing,
14 distribution, and content of the notices."
15 SECTION 4.
16 Article 8 of Chapter 9 of Title 16 of the Official Code of Georgia Annotated, relating to the
17 offense of identity fraud, is amended by revising Code Section 16-9-121, relating to the
18 elements of the offense, as follows:
19 "16-9-121.
20 (a) A person commits the offense of identity fraud when without the authorization or
21 permission of a person with the intent unlawfully to appropriate resources of or cause
22 physical harm to that person, or of any other person, to his or her own use or to the use of
23 a third party he or she willfully and fraudulently:
24 (1) Obtains or records identifying information of a person which would assist in
25 accessing the resources of that person or any other person; or
26 (2) Accesses or attempts to access the resources of a person through the use of
27 identifying information.
28 (1) Without authorization or consent, uses or possesses with intent to fraudulently use,
29 identifying information concerning an individual;
30 (2) Uses identifying information of an individual under 18 years old over whom he or
31 she exercises custodial authority;
32 (3) Uses or possesses with intent to fraudulently use, identifying information concerning
33 a deceased individual;
34 (4) Creates, uses, or possesses with intent to fraudulently use, any counterfeit or fictitious
35 identifying information concerning a fictitious individual with intent to use such
07 SB236/AP
236
- 5 -
1 counterfeit or fictitious identification information for the purpose of committing or
2 facilitating the commission of a crime or fraud on another person; or
3 (5) Without authorization or consent, creates, uses, or possesses with intent to
4 fraudulently use, any counterfeit or fictitious identifying information concerning a real
5 individual with intent to use such counterfeit or fictitious identification information for
6 the purpose of committing or facilitating the commission of a crime or fraud on another
7 person.
8 (b) A person commits the offense of identity fraud by receipt of fraudulent identification
9 information when he or she willingly accepts for identification purposes identifying
10 information which he or she knows to be fraudulent, stolen, counterfeit, or fictitious. In
11 any prosecution under this subsection it shall not be necessary to show a conviction of the
12 principal thief, counterfeiter, or fraudulent user.
13 (c) The offenses created by this Code section shall not merge with any other offense.
14 (d) This Code section shall not apply to a person under the age of 21 who uses a
15 fraudulent, counterfeit, or other false identification card for the purpose of obtaining entry
16 into a business establishment or for purchasing items which he or she is not of legal age to
17 purchase."
18 SECTION 5.
19 Said article is further amended by adding a new Code section as follows:
20 "16-9-125.1.
21 (a) A person who has learned or reasonably believes that he or she has been the victim of
22 identity fraud may contact the local law enforcement agency with jurisdiction over his or
23 her actual residence for the purpose of making an incident report. The law enforcement
24 agency having jurisdiction over the complainant´s residence shall make a report of the
25 complaint and provide the complainant with a copy of the report. Where jurisdiction for
26 the investigation and prosecution of the complaint lies with another agency, the law
27 enforcement agency making the report shall forward a copy to the agency having such
28 jurisdiction and shall advise the complainant that the report has been so forwarded.
29 (b) Nothing in this Code section shall be construed so as to interfere with the discretion
30 of a law enforcement agency to allocate resources for the investigation of crimes. A report
31 created pursuant to this Code section is not required to be counted as an open case file."
32 SECTION 6.
33 Said article is further amended by revising Code Section 16-9-126, relating to penalties for
34 violations, as follows:
07 SB236/AP
236
- 6 -
1 "16-9-126.
2 (a) A violation of this article, other than a violation of Code Section 16-9-122, shall be
3 punishable by imprisonment for not less than one nor more than ten years or a fine not to
4 exceed $100,000.00, or both. Any person who commits such a violation for the second or
5 any subsequent offense shall be punished by imprisonment for not less than three nor more
6 than 15 years, a fine not to exceed $250,000.00, or both.
7 (b) A violation of this article which does not involve the intent to commit theft or
8 appropriation of any property, resource or other thing of value that is committed by a
9 person who is less than 21 years of age, shall be punishable by imprisonment for not less
10 than one nor more than three years or a fine not to exceed $ 5,000.00, or both.
11 (b)(c) Any person found guilty of a violation of this article may be ordered by the court
12 to make restitution to any consumer victim or any business victim of such fraud.
13 (c)(d) Each violation of this article shall constitute a separate offense.
14 (d)(e) Upon a conviction of a violation of this article, the court may issue any order
15 necessary to correct a public record that contains false information resulting from the
16 actions which resulted in the conviction."
17 SECTION 7.
18 This Act shall become effective upon its approval by the Governor or upon its becoming law
19 without such approval and Section 4 shall apply to all offenses occurring on or after such
20 date.
21 SECTION 8.
22 All laws and parts of laws in conflict with this Act are repealed.
