During the recent 110^th Regular Session of the Tennessee General Assembly, Governor Bill Haslam signed into law an amendment to the Tennessee Identity Theft Deterrence Act of 1999.¹

The previous version of the law required any person or business that conducts business in the state of Tennessee and that owns or licenses computerized personal information of Tennessee residents to notify such residents whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person. These persons or businesses were required to notify affected Tennessee residents within 45 days following discovery or notification of a breach, provided that a law enforcement agency may delay this notification requirement if it determines that notification would impede a criminal investigation.

This amendment, which unanimously passed both chambers of the Tennessee General Assembly:

• Clarifies that notification to affected Tennessee residents of a data breach must be made within 45 days following a determination by the applicable law enforcement agency that notification will not compromise the investigation;
• Adds exceptions to the definition of "personal information" for (i) information that has been redacted or otherwise made unusable, and (ii) encrypted information, provided that the encryption key for such information has not been acquired by an unauthorized person; and
• Changes the definition of an "unauthorized person" from "an employee of the information holder who is discovered by the information holder to have obtained personal information and intentionally used it for an unlawful purpose" to "an employee of the information holder who is discovered by the information holder to have obtained personal information with the intent to use it for an unlawful purpose."

The exception of encrypted information from the definition of protected personal information is consistent with similar breach notification statutes in other states and is a welcome confirmation of the scope of the statute. However, the change to the definition of "unauthorized person", for example, raises new uncertainties not previously present.

The revised definition of "unauthorized person" appears to obligate employers to provide notification when an employee obtains personal information and intends to use it unlawfully, but has not yet done so. This raises the issue of whether the act of obtaining, but not using, the personal information could alone constitute a "material" compromise of the "security, confidentiality, or integrity of the personal information" and thereby trigger a breach notification obligation. If the latter is true, this change in the definition of "unauthorized person" may greatly expand required notifications under this law.

Bass, Berry & Sims will continue to monitor and provide updates as we track privacy legislation and regulations.