Chapter 7: State Data Breach Notification, Data Security, and Data Destruction Laws

Breach Laws: Covered Entities

Most states cover entities that conduct business in the state and maintain computerized data containing personal information. Georgia is a notable outlier, limiting covered entities to information brokers.

Most state laws cover those who (1) conduct business in the state and (2) in the ordinary course of business maintain computerized data that includes personal information. Some states limit coverage to those conducting business in that state.

Georgia outlier

Georgia significantly narrows coverage, defining covered entities as information brokers - not all businesses. An ordinary retailer may fall outside Georgia's law even though it would be covered in most other states.

Key terms - quick answers

What is “Covered entity (breach law)”?

An entity subject to a state breach law, typically one that does business in the state and maintains computerized personal information.

What is “Information broker (Georgia)”?

Georgia's narrow definition of covered entity, limiting the breach law to businesses whose primary purpose is furnishing personal information to nonaffiliated third parties.

← Breach Laws: Defining Personal Information Breach Laws: Security Breach and Risk-of-Harm →