Search form

Tennessee Amends Data Breach Notification Statute to Cover Encrypted Data and Address Timing

By Jason C. Gavejian
  • March 29, 2016

An amendment to the Tennessee’s data breach notification statute has eliminated a provision requiring notice only in the event of a breach of unencrypted personal information. Accordingly, it appears that Tennessee is the first state in the country to require breach notification regardless of whether the affected information was encrypted. The amendment (S.B. 2005), signed by Governor Bill Haslam on March 24, 2016, will take effect on July 1, 2016.

The amendment also requires notification of a data breach to be provided to any affected Tennessee resident within 45-days after discovery of the breach (absent a delay request from law enforcement). Previously, Tennessee’s statute, similar to the data breach laws of the vast majority of other states, had required disclosure of a breach to be made in the most expedient time possible and without unreasonable delay. Florida is another state that has amended its breach notification statute to require notification within a set time (30 days) after discovery of a breach.

Finally, the amendment adds a section stating that an “unauthorized person” includes an employee of the information holder who is discovered to have obtained personal information and intentionally used it for an unlawful purpose. This amendment likely is focused on entities that failed to provide notification of data incidents that were the result of improper access by employees.

Jackson Lewis attorneys are available to answer inquiries regarding this new law.

©2016 Jackson Lewis P.C. This material is provided for informational purposes only. It is not intended to constitute legal advice nor does it create a client-lawyer relationship between Jackson Lewis and any recipient. Recipients should consult with counsel before taking any actions based on the information contained within this material. This material may be considered attorney advertising in some jurisdictions. Prior results do not guarantee a similar outcome.

Reproduction of this material in whole or in part is prohibited without the express prior written consent of Jackson Lewis P.C., a law firm with more than 900 attorneys in major cities nationwide serving clients across a wide range of practices and industries. Having built its reputation on providing premier workplace law representation to management, the firm has grown to include leading practices in the areas of government relations, healthcare and sports law. For more information, visit www.jacksonlewis.com.

See AllRelated Articles You May Like

April 1, 2019

Retail Industry Workplace Law Update – Spring 2019

April 1, 2019

Class Action Trends Report The latest issue of our quarterly report on new developments in class action litigation focuses on independent contractors and covers the following topics: Is an “independent contract” enough? Independent contractors in California Potential strategies to protect your company and tips to defend... Read More

March 11, 2019

New Jersey Bills Would Give Consumers Control Over Their Personal Data Privacy

March 11, 2019

New Jersey has joined a growing list of states considering legislation on data privacy to promote transparency, accountability, and individual choice. One bill would create new obligations for commercial entities whose online website or services collect personally identifiable information (PII) from individuals in New Jersey. A second... Read More

January 28, 2019

California Consumer Privacy Act: FAQs for Employers

January 28, 2019

Data privacy and security regulation is growing rapidly around the world, including in the United States. In addition to strengthening the requirements to secure personal data, individuals are being given an increasing array of rights concerning the collection, use, disclosure, sale, and processing of their personal information.... Read More