SB 493 amends Chapter 1 of Title 10 of the OCGA to establish an affirmative defense for business entities against a tort cause of action for failure to implement reasonable cybersecurity controls, resulting in a data breach of private information. Business entities intending to assert this defense must maintain a written cybersecurity program with reasonable administrative, technical, and physical safeguards. A covered entity using this affirmative defense must establish substantial compliance with this code section and that it has undergone a data security assessment by an independent security assessment firm within 12 months prior to the data breach.