Tennessee Updates Data Breach Statute to Require Notice in 14 Days

Alston & Bird

On March 24, 2016, Tennessee Governor Bill Haslam signed SB 2005 into law. The bill makes two principal updates to Tennessee’s data breach statute. First, the statute will now require organizations that have experienced a data breach to notify individuals within fourteen days from the discovery or notification of the breach, unless a longer period of time is required due to the legitimate needs of law enforcement. Service providers must report a breach to the organization for which they are processing the data within fourteen days of discovery.

The second update to the statute adds employees of the business who use the information in an unlawful manner to the definition of unauthorized persons whose acquisition of personal data will trigger notice under the law.

By mandating a specific notice period, Tennessee joins a small number of states requiring notice to be made within a certain time after an organization becomes aware of the breach. Tennessee’s is one of the shortest periods adopted to date. Puerto Rico’s data breach statute requires notice to be made to the Department of Consumer Affairs within ten days of discovery of a breach. Florida requires notice to individuals to be made within thirty days following discovery of the breach.

The new law takes effect on July 1, 2016.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Alston & Bird | Attorney Advertising

Written by:

Alston & Bird

Alston & Bird on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide