Tennessee Amends Breach Notification Statute

Written by: Richard Sheinis, Esq.

Senate Bill 2005, amending Tennessee’s data breach notification law, was signed by the Governor on March 24, 2016. The new law is effective July 1, 2016. The main changes to the current law (Tennessee Code Annotated, Section 47-18-2107) are as follows:

Notification of a data breach must be provided to affected Tennessee residents within 45 days of the discovery of the breach. The old law required notification in a reasonable time. The amendment originally required notification within 14 days of discovery of the breach, but the notification period was changed to 45 days before the Senate passed the Bill.

The new law removes the word “unencrypted” from the definition of personal information. The implication is that even if the personal information that is the subject of the breach is encrypted, notification is still required. This is different than the law of most states, as well as HIPAA, which provides a safe harbor for encrypted data.

Lastly, the new law seems intended to address theft of personal data by an employee of the business holding the data. An employee who obtains the data and intentionally uses for an unlawful purpose is included in the definition of an “unauthorized person”.