Security Breach Notification Law

Georgia's breach notification law was amended in 2007 to include public universities and other state and local agencies. Personal information protected by the Georgia Personal Identity Protection Act of 2007 (O.C.G.A. 10-1-910 through 10-1-912), or GPIPA, includes the combination of an individual's full name, or first initial and last name with one of the following, when not encrypted or redacted:

• Social Security Number
• Driver's license number or state ID card number
• Account, credit card, or debit card number
• Account passwords, personal identification numbers, or other access codes

Any of these types of information are included without a name if a compromise would be sufficient to attempt to perform identity theft using that information. GPIPA does not include any publicly available information, including Open Records data, which includes most University records and communications.

Breach notification laws from other states, notably California, may still apply if residents from other states are affected.

Point of Contact

Office of Information Security (via the EITS Help Desk) 706-542-3106

Related Links

• Interactive map of state breach notification laws
• Official Text — Georgia Senate Bill SB 230/AP(2005)
• Official Text — Georgia Senate Bill SB 236/AP(2007 Amendment)
• State by state official codes for breach laws