On March 24, 2016, Tennessee Governor Bill Haslam signed SB 2005 into law. The bill makes two principal updates to Tennessee’s data breach statute. First, the statute will now require organizations that have experienced a data breach to notify individuals within fourteen days from the discovery or notification of the breach, unless a longer period of time is required due to the legitimate needs of law enforcement. Service providers must report a breach to the organization for which they are processing the data within fourteen days of discovery.
The second update to the statute adds employees of the business who use the information in an unlawful manner to the definition of unauthorized persons whose acquisition of personal data will trigger notice under the law.
By mandating a specific notice period, Tennessee joins a small number of states requiring notice to be made within a certain time after an organization becomes aware of the breach. Tennessee’s is one of the shortest periods adopted to date. Puerto Rico’s data breach statute requires notice to be made to the Department of Consumer Affairs within ten days of discovery of a breach. Florida requires notice to individuals to be made within thirty days following discovery of the breach.
The new law takes effect on July 1, 2016.