Cybersecurity Incident and Data Breach Reporting Requirements

A. Purpose and Scope
This rule establishes cybersecurity incident reporting obligations for all Georgia Ports Authority (“the Authority”) Terminal Users, including but not limited to terminal operators, tenants, vessel owners, vendors, consultants, contractors, subcontractors, and their designees (collectively, “Terminal Users”). These obligations apply where an actual or suspected cybersecurity incident or data breach may reasonably pose a threat to the Authority’s systems, data, personnel, infrastructure, or daily operations.

B. Reporting Requirement
Terminal Users shall disclose to the Authority any Cybersecurity Incident or Data
Breach that:
1. Has resulted in operational disruption to the Terminal User’s activities at the
Authority’s terminals or facilities; and
2. May reasonably threaten the Authority’s information systems, infrastructure,
operational continuity, or safety.
Such disclosure shall be made to GPA’s Director of Information Technology at
[email protected] as soon as practicable, but no later than two (2)
calendar days from the date the Terminal User knows or reasonably should have
known of the incident, unless delayed due to law enforcement investigation or legal
notification requirements under applicable state or federal law.

C. Reportable Incidents Include but Are Not Limited To:
1. Denial-of-service (DoS) or distributed denial-of-service (DDoS) attacks
affecting the Authority’s related services;
2. Unauthorized access to systems connected to the Authority’s networks;
3. Ransomware or malware attacks;
4. Account compromise affecting credentials used for the Authority’s systems;
5. Data exfiltration involving customer, employee, or sensitive operational data
with any nexus to the Authority’s operations.

D. Penalties for Non-Disclosure
Failure to timely report a qualifying Cybersecurity Incident or Data Breach as
required by this Rule may result in an administrative penalty of $1,000 per
calendar day, up to a maximum of $50,000 per incident as a reasonable estimate
of the costs and risks incurred by the Authority due to delayed notice. Additionally,
the Authority reserves the right to seek full reimbursement for any direct damages
incurred as a result of the unreported incident.

E. Definitions
1. Cybersecurity Incident: A violation or imminent threat of violation, whether intentional or unintentional, of an information system’s security policies, practices, or standard operating procedures that has the potential to negatively impact the Authority’s operations, security, or data.
2. Data Breach: The unauthorized acquisition, disclosure, or access of data maintained in electronic format that includes personal information, protected operational data, or system credentials. Good faith access by authorized personnel that does not result in misuse or further unauthorized disclosure does not constitute a breach.