Publication Date



In a world where vast amounts of personal information
are obtained and stored by countless organizations and
businesses in the public and private sector, data breaches,

due to negligence or nefarious hacking, are a far too
common occurrence. The results of a data breach can be
serious and widespread, from public humiliation to
identity theft and national security crises. In an effort to
protect consumers from the potentially devastating effects
of data breaches, the Federal Trade Commission has
begun to take enforcement action against businesses whose
data security practices are alleged to be unfair and
deceptive. Theoretically, states can take similar actions
under their "Little FTC Acts" or data breach notification
This Note argues that Georgia's "Little FTC Act," the
Fair Business Practices Act, and data breach notification
law, the Georgia PersonalIdentity ProtectionAct, provide
insufficient protection from data breaches for Georgia
consumers and insufficient recourse for those harmed by
breaches. This Note also proposes several changes in
Georgia's statutory scheme that would incentivize
organizations to implement stronger data security
measures and provide better remedies for injured