Search form

Tennessee Amends Data Breach Notification Statute to Cover Encrypted Data and Address Timing

By Jason C. Gavejian
  • March 29, 2016

An amendment to the Tennessee’s data breach notification statute has eliminated a provision requiring notice only in the event of a breach of unencrypted personal information. Accordingly, it appears that Tennessee is the first state in the country to require breach notification regardless of whether the affected information was encrypted. The amendment (S.B. 2005), signed by Governor Bill Haslam on March 24, 2016, will take effect on July 1, 2016.

The amendment also requires notification of a data breach to be provided to any affected Tennessee resident within 45-days after discovery of the breach (absent a delay request from law enforcement). Previously, Tennessee’s statute, similar to the data breach laws of the vast majority of other states, had required disclosure of a breach to be made in the most expedient time possible and without unreasonable delay. Florida is another state that has amended its breach notification statute to require notification within a set time (30 days) after discovery of a breach.

Finally, the amendment adds a section stating that an “unauthorized person” includes an employee of the information holder who is discovered to have obtained personal information and intentionally used it for an unlawful purpose. This amendment likely is focused on entities that failed to provide notification of data incidents that were the result of improper access by employees.

Jackson Lewis attorneys are available to answer inquiries regarding this new law.

©2016 Jackson Lewis P.C. This Update is provided for informational purposes only. It is not intended as legal advice nor does it create an attorney/client relationship between Jackson Lewis and any readers or recipients. Readers should consult counsel of their own choosing to discuss how these matters relate to their individual circumstances. Reproduction in whole or in part is prohibited without the express written consent of Jackson Lewis.

This Update may be considered attorney advertising in some states. Furthermore, prior results do not guarantee a similar outcome.

Jackson Lewis P.C. represents management exclusively in workplace law and related litigation. Our attorneys are available to assist employers in their compliance efforts and to represent employers in matters before state and federal courts and administrative agencies. For more information, please contact the attorney(s) listed or the Jackson Lewis attorney with whom you regularly work.

See AllRelated Articles You May Like

April 9, 2018

State Data Breach Notification Laws: Overview of the Patchwork

April 9, 2018

The nation’s patchwork of state data breach notification laws is now complete. All 50 states, as well as the District of Columbia, Puerto Rico, Guam, and the Virgin Islands, have enacted breach notification laws requiring private organizations or government entities to notify individuals of a security breach involving their personally... Read More

March 26, 2018

Federal Communications Commission Order on Telephone Calls Went Too Far, D.C. Circuit Court Rules

March 26, 2018

The U.S. Court of Appeals for the District of Columbia has issued a highly anticipated ruling reviewing the Federal Communications Commission’s July 2015 Declaratory Ruling and Order interpreting the Telephone Consumer Protection Act (TCPA). ACA Int’l, et al. v. FCC, et al., No. 15-1211 (D.C. Cir. Mar. 16, 2018). The TCPA generally... Read More

February 27, 2018

Is Employee Consent under EU Data Protection Regulation Possible?

February 27, 2018

U.S. organizations that control or process the personal data of European Union residents likely are subject to the EU’s new data protection requirements, the General Data Protection Regulation (GDPR). The GDPR takes effect on May 25, 2018. The GDPR, which supersedes the 1995 EU Data Protection Directive, imposes harsh penalties for... Read More