On March 24, 2016, Tennessee Governor Bill Haslam signed into law Senate Bill 2005 to strengthen Tennessee’s data breach notification requirements. Under the new law, an information holder must provide notice to residents of a breach of security by an unauthorized person even if the breach involves encrypted information. Previously, information holders were only required to provide notice if a breach involved unencrypted information. An information holder is any person or business that conducts business in Tennessee, or any agency of the state, that owns or licenses computerized data containing personal information. Furthermore, the new law requires information holders to provide notice to Tennessee residents affected by a data breach within 14 days of discovering the breach, whereas previously notice only needed to be given expediently and without unreasonable delay. Finally, the law expands the definition of an unauthorized person to include employees of the information holder who obtain personal information and intentionally use it for an unlawful purpose. The new law goes into effect on July 1, 2016.
These amendments to Tennessee’s data breach notification law are significant. Tennessee appears to be the first state to require notice regardless of whether the data was encrypted. Other states with a data breach notification law generally require notice only if the information was unencrypted and/or unredacted, and may require notice of a breach of encrypted information only if an unauthorized person accessed or acquired the encryption key. Tennessee’s amendment broadens what is considered a breach of security under state law and likely will lead to more frequent notice.
The 14 day notification requirement is stringent and stands out even from states that have been more active in regulating responses to data breaches. Most states require entities to provide notice to residents in the most expedient time possible and without unreasonable delay, but do not specify a time frame. Those states that do specify a time frame for notifying residents allow for longer notification periods. For example, Florida allows for notification of residents within 30 days after discovery of a breach, Vermont allows 45 days, and Connecticut allows 90 days. Tennessee’s 14 day time period likely will be more burdensome on entities, particularly those that experience a larger data breach, because it can be a time and resource-intensive process to redress a security incident and conduct a thorough investigation before notification.
Reporter, Kerianne Tobitsch, New York, +1 212 556 2310, firstname.lastname@example.org.