Tennessee Amends Data Breach Notification Statute


By: Kacie Manisco and David Cole

On March 24, 2016, Tennessee Governor Bill Haslam signed into law a bill amending the state’s Data Breach Notification Statute.  The amendments, which will go into effect on July 1, 2016, bring significant changes to how businesses must respond to data breaches involving information of Tennessee residents.

First, the amended statute now requires that notification be provided to residents affected by a data breach within 45-days after discovery of the breach. Prior to this amendment, Tennessee’s statute, similar to the data breach statutes of a majority of states, only mandated that disclosure of a data breach be made in the “most expedient time possible” and “without unreasonable delay.”  Now, Tennessee has become the eighth state to enact legislation that sets a specific time period for notification to affected individuals.   In addition, the new law does not permit delays for remediation or investigation of a breach unless a law enforcement agency determines that notification will impede a criminal investigation, and even then, notice must be made within 45 days after law enforcement determines that notification will no longer compromise an investigation.

Second, the amendment expands the definition of “unauthorized person.”  Tennessee requires any information holder to disclose a breach of the security of the system to any resident of Tennessee whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person.  Like other states, Tennessee used to exclude from the definition of a data breach any “good faith acquisition of personal information by an employee or agent” of the information holder.  Under the amendment, however, an unauthorized person now includes “an employee of the information holder who is discovered by the information holder to have obtained personal information and intentionally used it for an unlawful purpose.”

Lastly, the amended statute changes the definition of the term “breach of the security system” to remove the word “encrypted.”  This is being described by some as the first instance in which a state has removed its safe harbor provision for the loss of encrypted information.  However, a close examination of the statute shows that this amendment is non-substantive because the statute still provides that only a breach of “personal information,” which remains defined as unencrypted personal information, will trigger the breach notification requirement.

As we have discussed before, these changes highlight the importance of being prepared ahead of time before a breach occurs, which includes having data breach response plan in place that will help you timely comply with notice obligations like these.  We have created our FMG Cyber Toolkit to help our clients for this very reason.  Please contact one of our Cyber, Data Security, and Privacy practice group attorneys for more information about developing a plan for your organization.