The following appeared in the September 29, 2016 edition of The ALI Adviser.
On July 1, 2016, important changes to Tennessee’s data breach notification law went into effect, which concerns all employers. Tennessee removed the encryption safe harbor, requires notice for employee data breach incidents, and changes when organizations must send notices to affected individuals. Here’s what you need to know.
What is a data breach?
A data breach is the unauthorized access of computerized data of an individual’s first name (or first initial) and last name plus one of the following: (i) full Social Security number; (ii) driver’s license number; or (iii) financial account number or credit/debit card number with security code, access code or password (referred to in this article as “Personal Information”). As of July 1, it no longer matters if this Personal information is encrypted in your computer system – an important change. If you have a breach of encrypted Personal Information, you now have a data breach under Tennessee law. Tennessee is the first state to require data breach notification regardless of whether Personal Information is encrypted.
Every employer likely has at least employee social security numbers and maybe also driver’s license numbers. How do you store this information? If you’re storing this Personal Information in your computer system, you’re at risk of a data breach. If you don’t need to electronically store your employees’ full social security number, redact it down to the last four digits. If you store credit card numbers, use software that automatically redacts the full numbers. These are simple, inexpensive ways to protect from a data breach.
As of July 1, unauthorized access now also includes an employee who obtains Personal Information and intentionally uses it for an unlawful purpose. This means you must provide notification of data breaches that are the result of improper access by employees if that Personal Information is used for any reason outside the scope of his or her employment. Before this change, conventional wisdom was that all employees were “authorized” to access Personal Information.
You can prevent employee data breaches by restricting the employees who have computer access to Personal Information. This is often called the principle of least privilege. No employee should be given computer access to this Personal Information unless absolutely needed. Does any employee outside of your HR department need access to this Personal Information? Probably not.
How does a data breach happen?
The most newsworthy way data breaches happen is when hackers secretly install malicious software (also known as malware) on a computer system allowing the hackers to access computerized Personal Information. The bad guys want to steal your employees’ Personal Information to create fraudulent credit card accounts or to sell the Personal Information on the “dark web” to other bad guys who’ll steal your employees’ identity.
But a data breach can also happen as a result of employee negligence (i.e., emailing Personal Information to the wrong email address, faxing Personal Information to the wrong fax number, or lost laptops/smart phones, etc.) or theft of laptops/smart phones. Make sure you keep your inventory of laptops up to date.
What must you do if you have a data breach?
You must provide written notice of a data breach to Tennessee residents whose Personal Information was, or is reasonably believed to have been, acquired by an unauthorized person. Tennessee law requires data breach notification affecting Tennessee residents regardless of where your business is located. What matters is the residence of the individuals whose Personal Information was breached.
If a data breach requires you to notify more than 500,000 individuals or if providing notice will cost more than $250,000, you may give “substitute notice” by email notice, conspicuous posting on your website, and notification to major statewide media.
If a data breach requires you to notify more than 1,000 individuals at one time, you must also notify the credit reporting agencies: Equifax, Experian, and Transunion. It’s also best practices to report a data breach caused by theft to local law enforcement or a data breach by hackers to the U.S. Secret Service Electronic Crimes Task Force.
When is notice of a data breach required?
Another important change to Tennessee’s data breach notification law is that written notification must be provided “immediately” but no later than 45 days from discovery of the breach.
The only exception to the 45-day deadline is if law enforcement asks you to wait for it to investigate the data breach. This almost never happens. If law enforcement does ask you to delay notice, get that request in writing.
This 45-day deadline means you must be ready now. Don’t wait until you have a data breach to plan your response. Establish a data breach response team now. Evaluate the outside personnel you will need to help you respond to a data breach: outside counsel; IT/forensics professionals; and public relations professionals, to name a few. Make sure your IT team is involved in employee termination procedures so that computer access is terminated immediately before employees are terminated.
What happens if you fail to provide notice of a data breach?
A civil lawsuit may be filed if you fail to provide data breach notification at least 45 days from when you discovery the data breach. Any such lawsuit must be filed within 2 years.
Are there any exceptions to this law?
Tennessee’s data breach notification law does not apply if you are subject to the Health Insurance Portability and Accountability Act (“HIPAA”) or the Gramm-Leach-Bliley Act.
To view the article on The ALI Adviser, click here.