Data Breach Notification Laws for Small Business: Law in the State of Georgia

Last week, we defined a data breach and personal information generally. This week we are going to more specifically deal with the Georgia statute and explain some of the big takeaways for the SMB market in our state. Even if your business does not operate in Georgia, your state probably has a statute in place that is almost identical, so you might want to read this anyway.

Georgia’s Statute on Data Breach

When a small business network is hacked and the safety of users’ personal information is breached, the business is forced to take action within a reasonable timeframe. The specific wording is: “in the most expedient time possible and without unreasonable delay…”

For third parties who manage information for businesses, such as value-added resellers (VARs)/cloud providers (like Centerpoint Direct), the timing is more explicit: a notification must be sent within 24 hours following discovery.

This ensures that consumers are notified as early as possible, so that they can take the appropriate countermeasures to prevent identity theft (ie. credit card theft, fraudulent bank account activity…).

Breaches of under 10,000 people require that notification be sent to each customer whose information was exposed. These communications can be made privately, but they must be made. Larger hacks require the business to notify the Consumer Protection Bureau, which often means public shaming by the media.

States differ on this application of the statute. California mandates that any data breach of over 500 customers be communicated to the Office of the Attorney General, for instance.

The Big Picture: Key Takeaway

The structure of notifications filters down from the information aggregator (ie. cloud provider) down through its business customers. Then, in turn, businesses are forced to inform their customers. In other words, the business is held responsible for its own security and the protection of its customers – even if the breach occurs at a higher level.

From a technical standpoint, this implication makes sense because a business can always isolate its sensitive data, protecting its customers should a data breach take place farther up the chain. This tactic protects customers, but it also protects the business from upstream security threats.

We recommend that the SMB market seek out an information security partner – someone who will recommend the appropriate protection plan for your business. With all the cloud security options on the market today, in addition to advanced 2-step validation and cloud backups, there are cost-effective options out there, which can mitigate risk and use information technology to gain a competitive advantage.

Come back next week for the security implications to you as a consumer.