The Atlanta Lawyer August/September 2014 | Page 11

Feature Article
accordance with its policies. If notification to more than
10,000 residents of Georgia at once is necessary, then the
Covered Entity must also notify, without unreasonable delay,
all consumer reporting agencies that compile and maintain
files on consumers on a nation-wide basis, as defined by 15
U.S.C. Section 1681a.
The Act provides no statutory remedies or independent
civil causes of action against Covered Entities who have
experienced a data breach; however, violations could
potentially be pursued under other legal theories such as
negligence per se.
Additionally, the Federal Trade Commission (FTC) is
increasingly investigating and taking enforcement action under
Section 5(a) of the FTC Act, involving “unfair and deceptive
trade practices,” against companies that have experienced
data breaches for alleged failures to take reasonable steps to

secure consumers’ Personal Information. Violations involving
personal health care information may be investigated and
prosecuted by the U.S. Department of Justice.
Given the increasing threat of identity theft, Georgia companies
should focus on limiting their potential exposure. By taking
steps such as updating security systems, minimizing storage
of Personal Information, using unique identifying numbers,
redacting and encrypting all stored Personal Information and
compartmentalizing the storage of Personal Information on
different network segments, businesses can help ensure they
don’t become the subject of the next data breach headlines.
Amy T. Andrews is an attorney with Baker, Donelson,
Bearm [