Tennessee Re-Amends its Data Breach Notification Statute


By: Kacie L. Manisco

As we discussed in a prior blog post last year, in March 2016, Tennessee enacted an amendment to its data breach notification law that seemingly removed the encryption safe harbor, creating uncertainty over whether such a safe harbor continued to exist.

Just one year after this law took effect, Tennessee has again amended its data breach notification statute to exclude encrypted information from the definition of “personal information.” The new amendment serves to clear up the uncertainty caused by the 2016 amendment, and provides that the breach of encrypted data does not trigger notification to affected individuals unless the encryption key is also compromised.

The law now also contains a clearer definition of “encrypted” data, stating that it must be in accordance with the current version of the Federal Information Processing Standard (“FIPS”). Tennessee is unique among the state breach notification laws in citing to the FIPS as a reference for what constitutes encrypted data.

The amendment further clarifies the notification deadline to be either 45 days after discovery of the breach, or 45 days after a law enforcement agency investigating the incident determines that notification will not compromise a criminal investigation.

Finally, the amendment provides that notice can be made by email if the notice is either consistent with the E-Sign Act, or if the organization’s primary method of communication with the individual was by electronic means.

In light of these changes, Tennessee organizations should review their data security measures and response plans to ensure that they are prepared for and can respond efficiently to a data breach, and detect when one occurs. Working with experienced and knowledgeable cyber attorneys is important in that regard, and the attorneys in our Cyber Liability, Data Security & Privacy team keep up to date on all of these changes and other developments in the law. Please contact us to discuss how we can help your organization.

For any questions you may have please contact Kacie Manisco at [email protected].