Tennessee Amends Its ...

Tennessee Amends Its Data Breach Notification Laws

April 19, 2016 | by Melody McAnally

Removes the Encryption Safe Harbor, Limits the Timing of Notice, and Expands “Unauthorized Persons”

Effective July 1, 2016, Tennessee becomes the first state to remove the encryption safe harbor from its data breach notification laws[1] (Tennessee Identity Theft Deterrence Act of 1999, Tennessee Code Annotated § 47-18-2101, et seq.).  A copy of the amendments can be found here.  The previous Tennessee laws triggered notice only if there was a breach of unencrypted data acquired by an unauthorized person.  The amended laws now trigger notice to Tennessee residents if there is a data breach – whether the data is encrypted or unencrypted.

Also, businesses subject to the laws must now notify Tennessee residents affected by data breaches “immediately, but no later than forty-five (45) days from the discovery or notification of the breach.”  (Emphases added).  The original amendment required notice within fourteen (14) days, but the bill was subsequently amended to expand the deadline to 45 days.  Tennessee now joins a handful of other states requiring notice within a specific time.  Previously, the Tennessee laws required notice of a data breach in the most expedient time possible and without unreasonable delay, which is the statutory language of a large majority of state data breach laws.

Finally, the amended laws expand the definition of an “unauthorized person” to include an employee who obtained personal information “and intentionally used it for an unlawful purpose.”  This could significantly increase the businesses now required to provide notice of a data breach.

Companies with clients or customers in Tennessee should develop and implement data breach response plans that reflect these new amendments to Tennessee’s data breach notification laws.

[1] Forty-seven (47) states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted legislation requiring entities to notify individuals of data breaches involving personally identifiable information.