Tennessee Amends Data Breach Notification Statute to Require Notice Within 45 Days | Practical Law

Tennessee Amends Data Breach Notification Statute to Require Notice Within 45 Days | Practical Law

Tennessee has amended its data breach notification law to require immediate disclosure of any breach of the security of a system and to clarify that a notification may be required where an employee of the information holder acquires personal information if the employee misuses it.

Tennessee Amends Data Breach Notification Statute to Require Notice Within 45 Days

Practical Law Legal Update w-001-8303 (Approx. 3 pages)

Tennessee Amends Data Breach Notification Statute to Require Notice Within 45 Days

by Practical Law Intellectual Property & Technology
Published on 31 Mar 2016USA (National/Federal)
Tennessee has amended its data breach notification law to require immediate disclosure of any breach of the security of a system and to clarify that a notification may be required where an employee of the information holder acquires personal information if the employee misuses it.
On March 24, 2016, Tennessee governor Bill Haslam signed into law S.B. 2005, as amended, which will amend Tennessee Code Annotated, Section 47-18-2107, effective July 1, 2016. Tennessee's data breach law will be amended to:
  • Require immediate notification in the event of a breach. As with most state data breach statutes, the Tennessee statute currently requires notification within the most expedient time possible. The amended statute will require immediate notification. In the case of individuals, the statute provides that notification may be made no later than 45 days from discovery or notification of the breach, unless otherwise required by law enforcement. Information holders that maintain personal information they do not own must notify the owner of the personal information within 14 days.
  • Clarify that notification obligations may be triggered when an employee of the information holder breaches the system. The current version of the statute excludes good faith acquisition of personal information by an information holder's employees from the definition of breach of the security system. S.B. 2005 amends the statute to explicitly define an unauthorized person for purposes of determining whether there is a breach to include an information holder's employee who acquires personal information and intentionally misuses it for an unlawful purpose.
  • Exempt information holders that are subject to HIPAA. This amendment brings the Tennessee statute in line with a number of other state statutes.
In addition, S.B. 2005 amends the definition of breach of the security system to remove the word "encrypted." However, this amendment is non-substantive as the amended statute still provides that only a breach of personal information, which is defined as unencrypted personal information, will trigger the breach notification requirement.
The amended Section 47-18-2107 will apply to any breaches that occur on or after July 1, 2016.