| 1 | 1 | | 23 LC 47 2184 |
|---|
| 2 | 2 | | S. B. 161 |
|---|
| 3 | 3 | | - 1 - |
|---|
| 4 | 4 | | Senate Bill 161 |
|---|
| 5 | 5 | | By: Senators Kennedy of the 18th, Gooch of the 51st, Dolezal of the 27th, Robertson of the |
|---|
| 6 | 6 | | 29th, Anavitarte of the 31st and others |
|---|
| 7 | 7 | | A BILL TO BE ENTITLED |
|---|
| 8 | 8 | | AN ACT |
|---|
| 9 | 9 | | To amend Chapter 60 of Title 36 of the Official Code of Georgia Annotated, relating to |
|---|
| 10 | 10 | | 1 |
|---|
| 11 | 11 | | general provisions applicable to counties and municipal corporations, so as to ensure that2 |
|---|
| 12 | 12 | | counties and municipalities are protected from cyber attacks directed at contractors and3 |
|---|
| 13 | 13 | | suppliers by requiring certain provisions in county and municipal contracts; to amend4 |
|---|
| 14 | 14 | | Chapter 25 of Title 50 of the Official Code of Georgia Annotated, relating to the Georgia5 |
|---|
| 15 | 15 | | Technology Authority, so as to ensure that state agencies are protected from cyber attacks6 |
|---|
| 16 | 16 | | directed at contractors and suppliers by requiring certain provisions in contracts entered into7 |
|---|
| 17 | 17 | | by the state and its agencies; to provide for related matters; to repeal conflicting laws; and8 |
|---|
| 18 | 18 | | for other purposes.9 |
|---|
| 19 | 19 | | BE IT ENACTED BY THE GENERAL ASSEMBLY OF GEORGIA:10 |
|---|
| 20 | 20 | | SECTION 1.11 |
|---|
| 21 | 21 | | Chapter 60 of Title 36 of the Official Code of Georgia Annotated, relating to general12 |
|---|
| 22 | 22 | | provisions applicable to counties and municipal corporations, is amended by adding a new13 |
|---|
| 23 | 23 | | Code section to read as follows:14 |
|---|
| 24 | 24 | | "36-60-30. |
|---|
| 25 | 25 | | 15 |
|---|
| 26 | 26 | | (a) As used in this Code section, the term:16 23 LC 47 2184 |
|---|
| 27 | 27 | | S. B. 161 |
|---|
| 28 | 28 | | - 2 - |
|---|
| 29 | 29 | | (1) 'Contractor' means any person entering a contractual relationship with a local17 |
|---|
| 30 | 30 | | government that is either based upon a written contract or that provides a person with18 |
|---|
| 31 | 31 | | electronic or physical access to any local government computer system, data systems, or19 |
|---|
| 32 | 32 | | facility controlled or affiliated with such local government, and shall include all20 |
|---|
| 33 | 33 | | subcontractors of such person.21 |
|---|
| 34 | 34 | | (2) 'Data breach' means unauthorized access or disclosure of data under the contractor's22 |
|---|
| 35 | 35 | | control or in the contractor's possession contrary to the terms of a contract between the23 |
|---|
| 36 | 36 | | contractor and local government.24 |
|---|
| 37 | 37 | | (3) 'Local government' means any county or municipality of this state.25 |
|---|
| 38 | 38 | | (4) 'Person' means any natural person, partnership, corporation, trust, association, or any26 |
|---|
| 39 | 39 | | other legal entity, other than the federal government or the state or a political subdivision,27 |
|---|
| 40 | 40 | | agency, or authority thereof.28 |
|---|
| 41 | 41 | | (5) 'Personally identifiable information' means an individual's first name, last name,29 |
|---|
| 42 | 42 | | home address, personal phone numbers, date of birth, email addresses.30 |
|---|
| 43 | 43 | | (b) The following requirements shall apply to all local government contracts entered into31 |
|---|
| 44 | 44 | | or renewed after January 1, 2024, in this state:32 |
|---|
| 45 | 45 | | (1) That the contractor shall remain compliant with the external data privacy program33 |
|---|
| 46 | 46 | | outlined in this Code section, and upon written request by the local government, shall34 |
|---|
| 47 | 47 | | provide any evidence demonstrating compliance via written response within seven days35 |
|---|
| 48 | 48 | | or less;36 |
|---|
| 49 | 49 | | (2) In the event of a data breach, the contractor shall use reasonable efforts to notify the37 |
|---|
| 50 | 50 | | local government immediately of such data breach unless notification to an alternative38 |
|---|
| 51 | 51 | | or additional entity is provided in the contract. The contractor shall take such actions as39 |
|---|
| 52 | 52 | | may be necessary to preserve forensic evidence and eliminate the cause of the data40 |
|---|
| 53 | 53 | | breach. The contractor shall give highest priority to immediately correcting any data41 |
|---|
| 54 | 54 | | breach and shall devote such resources as may be required to accomplish that goal. The42 |
|---|
| 55 | 55 | | contractor shall provide the local government with all information necessary to enable the43 23 LC 47 2184 |
|---|
| 56 | 56 | | S. B. 161 |
|---|
| 57 | 57 | | - 3 - |
|---|
| 58 | 58 | | local government to fully understand the nature and scope of the data breach, the scope44 |
|---|
| 59 | 59 | | of such information being at the discretion of the local government; and45 |
|---|
| 60 | 60 | | (3) The contractor shall enact an external data privacy program that shall include, at a46 |
|---|
| 61 | 61 | | minimum, the following elements:47 |
|---|
| 62 | 62 | | (A) The contractor shall perform, at a minimum, quarterly scans for each of its48 |
|---|
| 63 | 63 | | employees' personally identifiable information:49 |
|---|
| 64 | 64 | | (i) Across at least 350 known data brokers or people search websites, using such site's50 |
|---|
| 65 | 65 | | public onsite search functionality; and51 |
|---|
| 66 | 66 | | (ii) Using at least one major internet search engine, determine what information is52 |
|---|
| 67 | 67 | | returned and easily obtainable using such search.53 |
|---|
| 68 | 68 | | Such quarterly scans may be accomplished by manual effort or using an automated54 |
|---|
| 69 | 69 | | service, so long as such scans are definitive;55 |
|---|
| 70 | 70 | | (B) The contractor shall maintain a report of the information discovered from the scans56 |
|---|
| 71 | 71 | | provided in subparagraph (A) of this paragraph. Using such information, the contractor57 |
|---|
| 72 | 72 | | shall conduct an annual privacy risk assessment to evaluate its ongoing privacy policies58 |
|---|
| 73 | 73 | | and security and access practices against standards identified in the contract based on59 |
|---|
| 74 | 74 | | the data such contractor will have access to or otherwise handle pursuant to its contract60 |
|---|
| 75 | 75 | | with the local government;61 |
|---|
| 76 | 76 | | (C) The reports described in subparagraph (B) of this paragraph shall be maintained62 |
|---|
| 77 | 77 | | by the contractor for a period of no less than three years, including after the conclusion63 |
|---|
| 78 | 78 | | of the contract period, and shall be made available within seven days of a request from64 |
|---|
| 79 | 79 | | the local government or alternative entity provided in the contract in the event a past65 |
|---|
| 80 | 80 | | data breach is found to have occurred, of a suspected data breach, or of an actual data66 |
|---|
| 81 | 81 | | breach described in subparagraph (A) of paragraph (2) of this Code section. The67 |
|---|
| 82 | 82 | | contract between the local government and contractor may provide that the local68 |
|---|
| 83 | 83 | | government maintain such records; and69 23 LC 47 2184 |
|---|
| 84 | 84 | | S. B. 161 |
|---|
| 85 | 85 | | - 4 - |
|---|
| 86 | 86 | | (D) The contractor shall certify to the local government that it conducts at least70 |
|---|
| 87 | 87 | | annually a privacy training for such contractor's employees that includes information71 |
|---|
| 88 | 88 | | on its external data privacy program, and the risks associated with data brokers and72 |
|---|
| 89 | 89 | | external data privacy, including, but not limited to, that external data exposures are used73 |
|---|
| 90 | 90 | | to craft highly targeted social engineering and spear phishing attacks. Such privacy74 |
|---|
| 91 | 91 | | training shall not preclude or supplant any privacy training the contractor already75 |
|---|
| 92 | 92 | | provides to its employees.76 |
|---|
| 93 | 93 | | (c) Contractors shall certify to the local government that it maintains or otherwise includes77 |
|---|
| 94 | 94 | | as part of its operations an external data privacy program no less stringent than the external78 |
|---|
| 95 | 95 | | data privacy program as described in subparagraph (b)(3)(D) of this Code section. This79 |
|---|
| 96 | 96 | | external data privacy program shall not preclude or supplant any similar program already80 |
|---|
| 97 | 97 | | provided.81 |
|---|
| 98 | 98 | | (d) This Code section shall not apply to any intergovernmental contracts or agreements a82 |
|---|
| 99 | 99 | | local government enters with another local government, the federal government, the state,83 |
|---|
| 100 | 100 | | or a political subdivision, agency, or authority thereof."84 |
|---|
| 101 | 101 | | SECTION 2.85 |
|---|
| 102 | 102 | | Chapter 25 of Title 50 of the Official Code of Georgia Annotated, relating to the Georgia86 |
|---|
| 103 | 103 | | Technology Authority, is amended by revising Code Section 50-25-7.3, which is reserved,87 |
|---|
| 104 | 104 | | as follows:88 |
|---|
| 105 | 105 | | "50-25-7.3. 89 |
|---|
| 106 | 106 | | (a) As used in this Code section, the term:90 |
|---|
| 107 | 107 | | (1) 'Contractor' means any person entering a contractual relationship with the authority91 |
|---|
| 108 | 108 | | that is either based upon a written contract or that provides a person with electronic or92 |
|---|
| 109 | 109 | | physical access to any state or agency computer system, data systems, or facility93 |
|---|
| 110 | 110 | | controlled or affiliated with the State of Georgia or one or more of its agencies, and shall94 |
|---|
| 111 | 111 | | include all subcontractors of such person.95 23 LC 47 2184 |
|---|
| 112 | 112 | | S. B. 161 |
|---|
| 113 | 113 | | - 5 - |
|---|
| 114 | 114 | | (2) 'Data breach' means unauthorized access or disclosure of data under the contractor's96 |
|---|
| 115 | 115 | | control or in the contractor's possession contrary to the terms of a contract between the97 |
|---|
| 116 | 116 | | contractor and the agency or authority.98 |
|---|
| 117 | 117 | | (3) 'Person' means any natural person, partnership, corporation, trust, association, or any99 |
|---|
| 118 | 118 | | other legal entity, other than the federal government or the state or a political subdivision,100 |
|---|
| 119 | 119 | | agency, or authority thereof.101 |
|---|
| 120 | 120 | | (4) 'Personally identifiable information' means an individual's first name, last name,102 |
|---|
| 121 | 121 | | home address, personal phone numbers, date of birth, email addresses.103 |
|---|
| 122 | 122 | | (b) The authority shall, pursuant to its authorization under this chapter, apply the following104 |
|---|
| 123 | 123 | | contractual requirements applicable to contractors, vendors, suppliers, and other entities105 |
|---|
| 124 | 124 | | contracting or renewing a contract with an agency after January 1, 2024, apply which shall106 |
|---|
| 125 | 125 | | include the following:107 |
|---|
| 126 | 126 | | (1) That the contractor shall remain compliant with the external data privacy program108 |
|---|
| 127 | 127 | | outlined in this Code section, and upon written request by either the authority or the109 |
|---|
| 128 | 128 | | agency, shall provide any evidence demonstrating compliance via written response within110 |
|---|
| 129 | 129 | | seven days or less;111 |
|---|
| 130 | 130 | | (2) In the event of a data breach, the contractor shall use reasonable efforts to notify the112 |
|---|
| 131 | 131 | | authority and the agency immediately of such data breach unless notification to an113 |
|---|
| 132 | 132 | | alternative or additional entity is provided in the contract. The contractor shall take such114 |
|---|
| 133 | 133 | | actions as may be necessary to preserve forensic evidence and eliminate the cause of the115 |
|---|
| 134 | 134 | | data breach. The contractor shall give highest priority to immediately correcting any data116 |
|---|
| 135 | 135 | | breach and shall devote such resources as may be required to accomplish that goal. The117 |
|---|
| 136 | 136 | | contractor shall provide the authority and the agency with all information necessary to118 |
|---|
| 137 | 137 | | enable the authority and the agency to fully understand the nature and scope of the data119 |
|---|
| 138 | 138 | | breach, the scope of such information being at the discretion of the authority; and120 23 LC 47 2184 |
|---|
| 139 | 139 | | S. B. 161 |
|---|
| 140 | 140 | | - 6 - |
|---|
| 141 | 141 | | (3) The contractor shall enact an external data privacy program that shall include, at a121 |
|---|
| 142 | 142 | | minimum, the following elements:122 |
|---|
| 143 | 143 | | (A) The contractor shall perform, at a minimum, quarterly scans for each of its123 |
|---|
| 144 | 144 | | employees' personally identifiable information:124 |
|---|
| 145 | 145 | | (i) Across at least 350 known data brokers or people search websites, using such site's125 |
|---|
| 146 | 146 | | public onsite search functionality; and126 |
|---|
| 147 | 147 | | (ii) Using at least one major internet search engine, determine what information is127 |
|---|
| 148 | 148 | | returned and easily obtainable using such search.128 |
|---|
| 149 | 149 | | Such quarterly scans may be accomplished by manual effort or using an automated129 |
|---|
| 150 | 150 | | service, so long as such scans are definitive;130 |
|---|
| 151 | 151 | | (B) The contractor shall maintain a report of the information discovered from the scans131 |
|---|
| 152 | 152 | | provided in subparagraph (A) of this paragraph. Using such information, the contractor132 |
|---|
| 153 | 153 | | shall conduct an annual privacy risk assessment to evaluate its ongoing privacy policies133 |
|---|
| 154 | 154 | | and security and access practices against standards identified in the contract based on134 |
|---|
| 155 | 155 | | the data such contractor will have access to or otherwise handle pursuant to its contract135 |
|---|
| 156 | 156 | | with the local government;136 |
|---|
| 157 | 157 | | (C) The reports described in subparagraph (B) of this paragraph shall be maintained137 |
|---|
| 158 | 158 | | by the contractor for a period of no less than three years, including after the conclusion138 |
|---|
| 159 | 159 | | of the contract period, and shall be made available within seven days of a request from139 |
|---|
| 160 | 160 | | the local government or alternative entity provided in the contract in the event a past140 |
|---|
| 161 | 161 | | data breach is found to have occurred, of a suspected data breach, or of an actual data141 |
|---|
| 162 | 162 | | breach described in subparagraph (A) of paragraph (2) of this Code section. The142 |
|---|
| 163 | 163 | | contract between the agency or the authority and contractor may provide that the143 |
|---|
| 164 | 164 | | agency or the authority maintain such records; and144 |
|---|
| 165 | 165 | | (D) The contractor shall certify to the authority and the agency that it conducts at least145 |
|---|
| 166 | 166 | | annually a privacy training for such contractor's employees that includes information146 |
|---|
| 167 | 167 | | on its external data privacy program, and the risks associated with data brokers and147 23 LC 47 2184 |
|---|
| 168 | 168 | | S. B. 161 |
|---|
| 169 | 169 | | - 7 - |
|---|
| 170 | 170 | | external data privacy, including, but not limited to, that external data exposures are used148 |
|---|
| 171 | 171 | | to craft highly targeted social engineering and spear phishing attacks. Such privacy149 |
|---|
| 172 | 172 | | training shall not preclude or supplant any privacy training the contractor already150 |
|---|
| 173 | 173 | | provides to its employees.151 |
|---|
| 174 | 174 | | (c) Contractors shall certify to the authority and the agency that it maintains or otherwise152 |
|---|
| 175 | 175 | | includes as part of its operations an external data privacy program no less stringent than the153 |
|---|
| 176 | 176 | | external data privacy program as described in subparagraph (b)(3)(D) of this Code section.154 |
|---|
| 177 | 177 | | This external data privacy program shall not preclude or supplant any similar program155 |
|---|
| 178 | 178 | | already provided.156 |
|---|
| 179 | 179 | | (d) This Code section shall not apply to any intergovernmental contracts or agreements an157 |
|---|
| 180 | 180 | | agency enters with another agency, the federal government, the state, or a local158 |
|---|
| 181 | 181 | | government, political subdivision, agency, or authority thereof. Reserved."159 |
|---|
| 182 | 182 | | SECTION 3.160 |
|---|
| 183 | 183 | | All laws and parts of laws in conflict with this Act are repealed.161 |
|---|