Search form

Tennessee Amends Data Breach Notification Statute to Cover Encrypted Data and Address Timing

By Jason C. Gavejian
  • March 29, 2016

An amendment to the Tennessee’s data breach notification statute has eliminated a provision requiring notice only in the event of a breach of unencrypted personal information. Accordingly, it appears that Tennessee is the first state in the country to require breach notification regardless of whether the affected information was encrypted. The amendment (S.B. 2005), signed by Governor Bill Haslam on March 24, 2016, will take effect on July 1, 2016.

The amendment also requires notification of a data breach to be provided to any affected Tennessee resident within 45-days after discovery of the breach (absent a delay request from law enforcement). Previously, Tennessee’s statute, similar to the data breach laws of the vast majority of other states, had required disclosure of a breach to be made in the most expedient time possible and without unreasonable delay. Florida is another state that has amended its breach notification statute to require notification within a set time (30 days) after discovery of a breach.

Finally, the amendment adds a section stating that an “unauthorized person” includes an employee of the information holder who is discovered to have obtained personal information and intentionally used it for an unlawful purpose. This amendment likely is focused on entities that failed to provide notification of data incidents that were the result of improper access by employees.

Jackson Lewis attorneys are available to answer inquiries regarding this new law.

©2016 Jackson Lewis P.C. This Update is provided for informational purposes only. It is not intended as legal advice nor does it create an attorney/client relationship between Jackson Lewis and any readers or recipients. Readers should consult counsel of their own choosing to discuss how these matters relate to their individual circumstances. Reproduction in whole or in part is prohibited without the express written consent of Jackson Lewis.

This Update may be considered attorney advertising in some states. Furthermore, prior results do not guarantee a similar outcome.

Jackson Lewis P.C. represents management exclusively in workplace law and related litigation. Our attorneys are available to assist employers in their compliance efforts and to represent employers in matters before state and federal courts and administrative agencies. For more information, please contact the attorney(s) listed or the Jackson Lewis attorney with whom you regularly work.

See AllRelated Articles You May Like

July 11, 2018

Fitness Industry Legal Update - Summer 2018

July 11, 2018

Social media can be a great way for companies in the fitness industry to build and engage their communities. The hazards of social media as to employees, companies, and privacy, however, should not be ignored. This is especially true if social media is key to a business’s marketing or employee-recruitment goals. In this issue, we cover... Read More

July 9, 2018

Brett Kavanaugh Nominated to U.S. Supreme Court

July 9, 2018

In the wake of Justice Anthony Kennedy’s retirement, President Donald Trump was presented with the rare opportunity to make his second U.S. Supreme Court nomination in as many years, nominating the Honorable Brett M. Kavanaugh to succeed Justice Kennedy. If confirmed by the Senate, Judge Kavanaugh would bring more than a dozen years of... Read More

April 9, 2018

State Data Breach Notification Laws: Overview of the Patchwork

April 9, 2018

The nation’s patchwork of state data breach notification laws is now complete. All 50 states, as well as the District of Columbia, Puerto Rico, Guam, and the Virgin Islands, have enacted breach notification laws requiring private organizations or government entities to notify individuals of a security breach involving their personally... Read More