23 LC 47 2184
S. B. 161
- 1 -
Senate Bill 161
By: Senators Kennedy of the 18th, Gooch of the 51st, Dolezal of the 27th, Robertson of the
29th, Anavitarte of the 31st and others
A BILL TO BE ENTITLED
AN ACT
To amend Chapter 60 of Title 36 of the Official Code of Georgia Annotated, relating to
1
general provisions applicable to counties and municipal corporations, so as to ensure that2
counties and municipalities are protected from cyber attacks directed at contractors and3
suppliers by requiring certain provisions in county and municipal contracts; to amend4
Chapter 25 of Title 50 of the Official Code of Georgia Annotated, relating to the Georgia5
Technology Authority, so as to ensure that state agencies are protected from cyber attacks6
directed at contractors and suppliers by requiring certain provisions in contracts entered into7
by the state and its agencies; to provide for related matters; to repeal conflicting laws; and8
for other purposes.9
BE IT ENACTED BY THE GENERAL ASSEMBLY OF GEORGIA:10
SECTION 1.11
Chapter 60 of Title 36 of the Official Code of Georgia Annotated, relating to general12
provisions applicable to counties and municipal corporations, is amended by adding a new13
Code section to read as follows:14
"36-60-30.
15
(a) As used in this Code section, the term:16 23 LC 47 2184
S. B. 161
- 2 -
(1) 'Contractor' means any person entering a contractual relationship with a local17
government that is either based upon a written contract or that provides a person with18
electronic or physical access to any local government computer system, data systems, or19
facility controlled or affiliated with such local government, and shall include all20
subcontractors of such person.21
(2) 'Data breach' means unauthorized access or disclosure of data under the contractor's22
control or in the contractor's possession contrary to the terms of a contract between the23
contractor and local government.24
(3) 'Local government' means any county or municipality of this state.25
(4) 'Person' means any natural person, partnership, corporation, trust, association, or any26
other legal entity, other than the federal government or the state or a political subdivision,27
agency, or authority thereof.28
(5) 'Personally identifiable information' means an individual's first name, last name,29
home address, personal phone numbers, date of birth, email addresses.30
(b) The following requirements shall apply to all local government contracts entered into31
or renewed after January 1, 2024, in this state:32
(1) That the contractor shall remain compliant with the external data privacy program33
outlined in this Code section, and upon written request by the local government, shall34
provide any evidence demonstrating compliance via written response within seven days35
or less;36
(2) In the event of a data breach, the contractor shall use reasonable efforts to notify the37
local government immediately of such data breach unless notification to an alternative38
or additional entity is provided in the contract. The contractor shall take such actions as39
may be necessary to preserve forensic evidence and eliminate the cause of the data40
breach. The contractor shall give highest priority to immediately correcting any data41
breach and shall devote such resources as may be required to accomplish that goal. The42
contractor shall provide the local government with all information necessary to enable the43 23 LC 47 2184
S. B. 161
- 3 -
local government to fully understand the nature and scope of the data breach, the scope44
of such information being at the discretion of the local government; and45
(3) The contractor shall enact an external data privacy program that shall include, at a46
minimum, the following elements:47
(A) The contractor shall perform, at a minimum, quarterly scans for each of its48
employees' personally identifiable information:49
(i) Across at least 350 known data brokers or people search websites, using such site's50
public onsite search functionality; and51
(ii) Using at least one major internet search engine, determine what information is52
returned and easily obtainable using such search.53
Such quarterly scans may be accomplished by manual effort or using an automated54
service, so long as such scans are definitive;55
(B) The contractor shall maintain a report of the information discovered from the scans56
provided in subparagraph (A) of this paragraph. Using such information, the contractor57
shall conduct an annual privacy risk assessment to evaluate its ongoing privacy policies58
and security and access practices against standards identified in the contract based on59
the data such contractor will have access to or otherwise handle pursuant to its contract60
with the local government;61
(C) The reports described in subparagraph (B) of this paragraph shall be maintained62
by the contractor for a period of no less than three years, including after the conclusion63
of the contract period, and shall be made available within seven days of a request from64
the local government or alternative entity provided in the contract in the event a past65
data breach is found to have occurred, of a suspected data breach, or of an actual data66
breach described in subparagraph (A) of paragraph (2) of this Code section. The67
contract between the local government and contractor may provide that the local68
government maintain such records; and69 23 LC 47 2184
S. B. 161
- 4 -
(D) The contractor shall certify to the local government that it conducts at least70
annually a privacy training for such contractor's employees that includes information71
on its external data privacy program, and the risks associated with data brokers and72
external data privacy, including, but not limited to, that external data exposures are used73
to craft highly targeted social engineering and spear phishing attacks. Such privacy74
training shall not preclude or supplant any privacy training the contractor already75
provides to its employees.76
(c) Contractors shall certify to the local government that it maintains or otherwise includes77
as part of its operations an external data privacy program no less stringent than the external78
data privacy program as described in subparagraph (b)(3)(D) of this Code section. This79
external data privacy program shall not preclude or supplant any similar program already80
provided.81
(d) This Code section shall not apply to any intergovernmental contracts or agreements a82
local government enters with another local government, the federal government, the state,83
or a political subdivision, agency, or authority thereof."84
SECTION 2.85
Chapter 25 of Title 50 of the Official Code of Georgia Annotated, relating to the Georgia86
Technology Authority, is amended by revising Code Section 50-25-7.3, which is reserved,87
as follows:88
"50-25-7.3. 89
(a) As used in this Code section, the term:90
(1) 'Contractor' means any person entering a contractual relationship with the authority91
that is either based upon a written contract or that provides a person with electronic or92
physical access to any state or agency computer system, data systems, or facility93
controlled or affiliated with the State of Georgia or one or more of its agencies, and shall94
include all subcontractors of such person.95 23 LC 47 2184
S. B. 161
- 5 -
(2) 'Data breach' means unauthorized access or disclosure of data under the contractor's96
control or in the contractor's possession contrary to the terms of a contract between the97
contractor and the agency or authority.98
(3) 'Person' means any natural person, partnership, corporation, trust, association, or any99
other legal entity, other than the federal government or the state or a political subdivision,100
agency, or authority thereof.101
(4) 'Personally identifiable information' means an individual's first name, last name,102
home address, personal phone numbers, date of birth, email addresses.103
(b) The authority shall, pursuant to its authorization under this chapter, apply the following104
contractual requirements applicable to contractors, vendors, suppliers, and other entities105
contracting or renewing a contract with an agency after January 1, 2024, apply which shall106
include the following:107
(1) That the contractor shall remain compliant with the external data privacy program108
outlined in this Code section, and upon written request by either the authority or the109
agency, shall provide any evidence demonstrating compliance via written response within110
seven days or less;111
(2) In the event of a data breach, the contractor shall use reasonable efforts to notify the112
authority and the agency immediately of such data breach unless notification to an113
alternative or additional entity is provided in the contract. The contractor shall take such114
actions as may be necessary to preserve forensic evidence and eliminate the cause of the115
data breach. The contractor shall give highest priority to immediately correcting any data116
breach and shall devote such resources as may be required to accomplish that goal. The117
contractor shall provide the authority and the agency with all information necessary to118
enable the authority and the agency to fully understand the nature and scope of the data119
breach, the scope of such information being at the discretion of the authority; and120 23 LC 47 2184
S. B. 161
- 6 -
(3) The contractor shall enact an external data privacy program that shall include, at a121
minimum, the following elements:122
(A) The contractor shall perform, at a minimum, quarterly scans for each of its123
employees' personally identifiable information:124
(i) Across at least 350 known data brokers or people search websites, using such site's125
public onsite search functionality; and126
(ii) Using at least one major internet search engine, determine what information is127
returned and easily obtainable using such search.128
Such quarterly scans may be accomplished by manual effort or using an automated129
service, so long as such scans are definitive;130
(B) The contractor shall maintain a report of the information discovered from the scans131
provided in subparagraph (A) of this paragraph. Using such information, the contractor132
shall conduct an annual privacy risk assessment to evaluate its ongoing privacy policies133
and security and access practices against standards identified in the contract based on134
the data such contractor will have access to or otherwise handle pursuant to its contract135
with the local government;136
(C) The reports described in subparagraph (B) of this paragraph shall be maintained137
by the contractor for a period of no less than three years, including after the conclusion138
of the contract period, and shall be made available within seven days of a request from139
the local government or alternative entity provided in the contract in the event a past140
data breach is found to have occurred, of a suspected data breach, or of an actual data141
breach described in subparagraph (A) of paragraph (2) of this Code section. The142
contract between the agency or the authority and contractor may provide that the143
agency or the authority maintain such records; and144
(D) The contractor shall certify to the authority and the agency that it conducts at least145
annually a privacy training for such contractor's employees that includes information146
on its external data privacy program, and the risks associated with data brokers and147 23 LC 47 2184
S. B. 161
- 7 -
external data privacy, including, but not limited to, that external data exposures are used148
to craft highly targeted social engineering and spear phishing attacks. Such privacy149
training shall not preclude or supplant any privacy training the contractor already150
provides to its employees.151
(c) Contractors shall certify to the authority and the agency that it maintains or otherwise152
includes as part of its operations an external data privacy program no less stringent than the153
external data privacy program as described in subparagraph (b)(3)(D) of this Code section.154
This external data privacy program shall not preclude or supplant any similar program155
already provided.156
(d) This Code section shall not apply to any intergovernmental contracts or agreements an157
agency enters with another agency, the federal government, the state, or a local158
government, political subdivision, agency, or authority thereof. Reserved."159
SECTION 3.160
All laws and parts of laws in conflict with this Act are repealed.161