AGG > Publication > GA Identity Theft Law Takes Effect July 1 2002


	Firm Profile

	Client Successes

	Events

	News

	Publications

Food Manufacturing and Distribution

Senior Administrative Staff

GA Identity Theft Law Takes Effect July 1 2002

7/1/2002

Businesses Face Up to $10,000 in Fines
for Improper Disposal of Records with Personal Information

On July 1, 2002, Georgia's new identity theft law goes into effect requiring businesses to appropriately discard materials that record written, printed, spoken, visual or electronic personal information of its customers, including requirements to:

1) shred the record before discarding it;
2) erase the personal information before discarding it;
3) make the personal information unreadable before discarding it; or
4) take actions that it reasonable believes will ensure that no unauthorized person will have access to the personal information between the period when the record is transferred to a third party for value or to a business engaged in the destruction of records and such record's actual destruction.

What's "personal information"? Personal information is personally identifiable data about a customer's medical condition, data which contain a customer's account or identification number, account balance, balance owing, credit balance, or credit limit, if the data relate to a customer's account or transaction with a business, data regarding an account opening or loan or credit application, or data about a customer's federal, state or local income tax return. Personally identifiable information includes information capable of being associated with a particular customer (photograph, social security number, driver's license number, date of birth, medical information or disability information), but does not include a customer's name, address and telephone number unless one or more of them is combined with one or more of the identifiers like a photograph, social security number or date of birth.

A business is exempt from the statute if any federal law requires it to discard records in the same manner as Georgia's Identity Theft Law. Specifically mentioned exemptions are:

Banks and other financial institutions subject to the privacy and security provisions of the Gramm-Leach-Bliley Act ("GLBA");
Hospitals and other healthcare institutions subject to the privacy and security regulations of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and licensed under Title 31 of the Georgia Code. Institutions licensed under Title 31 include home health agencies, nursing homes, hospices, etc.
The Georgia Identity Theft Law applies to other businesses that are also subject to HIPAA (e.g., health plans, health care clearinghouses, and providers not licensed under Title 31).

If your business is subject to the Georgia Identity Theft Law, you should develop a policy for properly disposing of customer database records that include name, address, social security number, etc. Even businesses that are exempt from the Georgia law may consider adopting such a policy as a best business practice.

Violations can result in fines up to an aggregate of $10,000.

This bulletin was prepared by the law firm of Arnall Golden Gregory LLP. It presents information on legal matters of general interest in summary form. This document should not be construed as legal advice or opinion on specific matters.

Practice Areas

Technology

Industries

		Healthcare
		Technology