As I blogged about here, last year the Tennessee legislature amended its data breach laws to become the first state in the U.S. to remove the encryption safe harbor from its definition of a data breach, which required notice of a data breach of encrypted information. See Tenn. Code Ann. § 47-18-2107.
On March 22, 2017, the Tennessee legislature amended Tennessee’s Identity Theft Deterrence Act which reinstates the encryption safe harbor. If the amendments become law, data breach notification will no longer be required for encrypted information unless the encryption key is also breached; or for redacted personal information.
Encryption is defined in the amendments as computerized data rendered unusable, unreadable or indecipherable without the use of a decryption process or key and in accordance with the current version of the Federal Information Processing Standard (FIPS) 140-2.
Although perhaps not as newsworthy, the amendments also expand substitute notice to include email if email is the information holder’s primary method of communication.
Tennessee’s data breach laws keep in place the forty-five (45) day deadline to notify residents of a data breach.
Tennessee is among 47 states, along with Washington D.C., and three U.S. territories, with data breach notification laws. The laws vary, and state requirements can differ from federal requirements. Businesses who maintain personal information must understand the various federal and state data breach laws and be aware of changes in legislation.