Update for Tennessee Breach Notification Laws

by | Apr 5, 2016

Data violation notification laws in Tennessee have been reviewed to better protect state residents. The new law requires organizations to issue breach notifications to state residents more quickly, while the range of information covered has been widened.

When the new laws have been passed, organizations doing business in the state of Tennessee will be required to notify state residents of a breach of personal information within 45 days of the discovery of data breach. Originally the bill required bodies to issue notifications within 14 days of discovery, although this was later changed to 45 days.

Previously, data breach notification laws in Tennessee required all businesses to issue privacy violation notifications in a reasonable time frame after a breach was identified. Tennessee is the eighth state to put in place a time frame for sending breach notification letters.

Tennessee is not the sole state to introduce laws that reduce the timescale for notifying those affected by a breach – it is the eighth state to add a timescale for sending breach notifications – but in contrast to most states, information holders are not permitted to extend the deadline even if a review into the breach is ongoing or if measures have not yet been changed to restore the security of the information holder’s systems. The only exception is when a delay has been asked for  by law enforcement agencies in order not to compromise a criminal investigation.

While the old breach notification law required notifications to be sent to breach victims in cases where unencrypted data were exposed, the new law has dropped the word “unencrypted”. Out of the 47 states that have passed breach notification laws, Tennessee is the only state to drop its safe harbor for encrypted data. The change was required, according to Sen. Bill Ketron (R) who sponsored of the bill, because “encrypted data is now being stolen almost as easily as unencrypted [data].”

This means that if data is taken illegally the information holder would still need to notify affected individuals of the breach even if data were encrypted, although only if the breach materially compromised the security, confidentiality, or integrity of personal information.

The definition of “unauthorized person” has also been widened to include employees of an information holder that is found to have obtained personal information and used it for an unlawful purpose.

Tennessee Governor Bill Haslam (R) signed bill S.B. 2005 into law in March 2016. The new data breach notification law in Tennessee will come into effect on July 1, 2016

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy