Tennessee Expands Breach Notification Statute

Data breach notifications may be more common in Tennessee. Notably, the Governor recently signed into law a bill updating the current breach notification requirements by (a) requiring notice even where data is encrypted, (b) requiring notice within 45 days of discovery of the breach (barring a law enforcement hold), and (c) more clearly covering the actions of malicious employees.

This change is notable because it requires notification even if the data is encrypted.  It applies to organizations handling Tennessee residents’ data. The new law will take effect July 1, 2016. Given this amendment, all companies should consider any necessary updates to incident response plans.

What’s the Law?

Tennessee has had a breach notification law in place for some time. Indeed, if a business handling the data of Tennessee residents discovers that such data has been acquired by an unauthorized entity, notice must be provided. Under the law, information that triggers a breach notification includes an individual’s (a) first name or first initial, with last name and (b) any of the following: Social Security Number, driver’s license number, and/or specified financial account information.

In the past, notification requirements were not triggered if the data was encrypted. Additionally, there was no hard timeline for delivery of notice, but notice was required without unreasonable delay. Now, under the revised law, even the acquisition of encrypted data is covered. If such data is unlawfully obtained, a notice must be provided to the impacted Tennessee residents no later than 45 days of discovery unless law enforcement has asked that notice be delayed. Further, the law now makes clear that acquisition by an unauthorized person includes an employee acting with mal-intent. In addition to consumer notice, the law maintains its requirement to notify consumer reporting agencies where notice is provided to more than 1,000 residents. Violation of the law gives way to a private right of action for impacted residents.

What Should Companies Do?

In light of the above, companies should take this opportunity to revisit breach and incident response plans. Where some companies may have been making decisions to withhold notification where data is encrypted or where an employee has misbehaved, notice will now be required in these instances—and must be provided within 45 days absent a law enforcement hold. Failure to abide by these mandates may lead to legal action.

Continue Reading