Update for Tennessee Breach Notification Laws

Data violation notification laws in Tennessee have been reviewed to better protect state residents. The new law requires organizations to issue breach notifications to state residents more quickly, while the range of information covered has been widened.

When the new laws have been passed, organizations doing business in the state of Tennessee will be required to notify state residents of a breach of personal information within 45 days of the discovery of data breach. Originally the bill required bodies to issue notifications within 14 days of discovery, although this was later changed to 45 days.

Previously, data breach notification laws in Tennessee required all businesses to issue privacy violation notifications in a reasonable time frame after a breach was identified. Tennessee is the eighth state to put in place a time frame for sending breach notification letters.

Tennessee is not the sole state to introduce laws that reduce the timescale for notifying those affected by a breach – it is the eighth state to add a timescale for sending breach notifications – but in contrast to most states, information holders are not permitted to extend the deadline even if a review into the breach is ongoing or if measures have not yet been changed to restore the security of the information holder’s systems. The only exception is when a delay has been asked for  by law enforcement agencies in order not to compromise a criminal investigation.

While the old breach notification law required notifications to be sent to breach victims in cases where unencrypted data were exposed, the new law has dropped the word “unencrypted”. Out of the 47 states that have passed breach notification laws, Tennessee is the only state to drop its safe harbor for encrypted data. The change was required, according to Sen. Bill Ketron (R) who sponsored of the bill, because “encrypted data is now being stolen almost as easily as unencrypted [data].”

This means that if data is taken illegally the information holder would still need to notify affected individuals of the breach even if data were encrypted, although only if the breach materially compromised the security, confidentiality, or integrity of personal information.

The definition of “unauthorized person” has also been widened to include employees of an information holder that is found to have obtained personal information and used it for an unlawful purpose.

Tennessee Governor Bill Haslam (R) signed bill S.B. 2005 into law in March 2016. The new data breach notification law in Tennessee will come into effect on July 1, 2016