Search form

Tennessee Amends Data Breach Notification Statute to Cover Encrypted Data and Address Timing

By Jason C. Gavejian
  • March 29, 2016

An amendment to the Tennessee’s data breach notification statute has eliminated a provision requiring notice only in the event of a breach of unencrypted personal information. Accordingly, it appears that Tennessee is the first state in the country to require breach notification regardless of whether the affected information was encrypted. The amendment (S.B. 2005), signed by Governor Bill Haslam on March 24, 2016, will take effect on July 1, 2016.

The amendment also requires notification of a data breach to be provided to any affected Tennessee resident within 45-days after discovery of the breach (absent a delay request from law enforcement). Previously, Tennessee’s statute, similar to the data breach laws of the vast majority of other states, had required disclosure of a breach to be made in the most expedient time possible and without unreasonable delay. Florida is another state that has amended its breach notification statute to require notification within a set time (30 days) after discovery of a breach.

Finally, the amendment adds a section stating that an “unauthorized person” includes an employee of the information holder who is discovered to have obtained personal information and intentionally used it for an unlawful purpose. This amendment likely is focused on entities that failed to provide notification of data incidents that were the result of improper access by employees.

Jackson Lewis attorneys are available to answer inquiries regarding this new law.

©2016 Jackson Lewis P.C. This Update is provided for informational purposes only. It is not intended as legal advice nor does it create an attorney/client relationship between Jackson Lewis and any readers or recipients. Readers should consult counsel of their own choosing to discuss how these matters relate to their individual circumstances. Reproduction in whole or in part is prohibited without the express written consent of Jackson Lewis.

This Update may be considered attorney advertising in some states. Furthermore, prior results do not guarantee a similar outcome.

Jackson Lewis P.C. represents management exclusively in workplace law and related litigation. Our attorneys are available to assist employers in their compliance efforts and to represent employers in matters before state and federal courts and administrative agencies. For more information, please contact the attorney(s) listed or the Jackson Lewis attorney with whom you regularly work.

See AllRelated Articles You May Like

January 29, 2018

Fitness Industry Workplace Law Update – Winter 2018

January 29, 2018

Welcome to our premiere issue! Our goal is to keep fitness industry clients and contacts informed about employment and labor law issues that may affect your organizations. We hope you find this newsletter valuable and invite you to share it with interested colleagues and contacts. In this issue, we provide a brief summary of hot... Read More

January 24, 2018

2018: The Year Ahead for Employers

January 24, 2018

An executive summary of recent changes in workplace law and a look ahead to 2018. Read More

January 23, 2018

Data Privacy Day: Top 10 for 2018

January 23, 2018

In honor of Data Privacy Day, we provide the “Top 10 for 2018.” While the list is by no means exhaustive, it provides key issues organizations should consider in 2018. 1. Greater Focus on EU Data Protection Requirements Many U.S. organizations mistakenly think the European Union’s data protection requirements do not apply to them.... Read More