Tennessee Amends Its Data Breach Notification Law for the Second Year in a Row
In a move that pulls the state back towards the majority, Tennessee no longer requires disclosure of a data breach to consumers if the exposed personal information is encrypted. On April 4, 2017, Governor Bill Haslam signed into law an amendment to the Tennessee Identity Theft Deterrence Act of 1999 that, among other changes, adds back encryption safe harbor to Tennessee's data breach notification law.
Before Senate Bill 547, the Act required any party conducting business in Tennessee that owns or licenses computerized personal information of Tennessee residents to inform such residents if it knows or reasonably believes an unauthorized person acquired their encrypted or unencrypted personal information. The previous version of the law also mandated that disclosure be made within forty-five (45) days from discovery of the breach, one of the shortest notification periods in the country. This amendment changed and clarified the definitions of several key terms in the statute:
- Breach of System Security. The amendment adds the encryption safe harbor by specifying that a breach of system security occurs when an unauthorized person acquires unencrypted computerized data or encrypted computerized data and the associated encryption key.1
- Unauthorized Person. S.B. 547 additionally changes the definition of an unauthorized person to encourage information holders to be more proactive with respect to breaches involving one of their employees. Prior to this amendment, an employee was an unauthorized person for purposes of the statute if they obtained personal information and “intentionally used” it for an unlawful purpose. Now, however, the amended definition provides that this definition includes employees who obtain personal information “with the intent to use” it for an unlawful purpose.2
- Encryption. This amendment also redefines encrypted to mean that the personal information is “rendered unusable, unreadable, or indecipherable” in accordance with the Federal Information Processing Standard (FIPS).3 FIPS are publicly announced standards developed by the federal government for use in computer systems.
Just last year, Tennessee became the only state to remove the safe harbor for encrypted data with Senate Bill 2005, but it quickly rejoined the majority with this amendment. On March 15, 2017, at the time the amended bill was presented to the House Consumer and Resources Committee, Rep. Courtney Rogers stated that the Tennessee legislature found the extra burden on organizations doing business in the state to be “disincentivizing our businesses to encrypt their data by requiring everything to be reported.”4
While S.B. 547 diminishes required notifications by adding back the encryption safe harbor, it seemingly expands notifications by changing the definition of an “unauthorized person.” With organizations now required to disclose when employees obtain personal information intending to break the law before actually doing so, required notifications are likely to increase. The increased difficulty in proving future intent might also create a gray area that Tennessee organizations find confusing to interpret.
As there remains no national standard for data security breach notification, Tennessee and other states continue to employ a trial-and-error, patchwork approach to these situations. State legislatures face the difficult challenge of balancing ever increasing consumer protection concerns with encouraging economic efficiency and technology innovation within their state.
1See Tenn. Code Ann. § 47-18-2107(a)(1)(A) (West).
2 Id. § 47-18-2107(a)(5).
3 Id. § 47-18-2107(a)(2).
4Consumer Protection: Hearing on H.B. 545 Before the H. Comm. on Consumer and Human Resources, 2017 Leg., 110th Sess. (Tenn. 2017) (statement of Rep. Courtney Rogers).
For more information, contact:
The articles published in this newsletter are intended only to provide general information on the subjects covered. The contents should not be construed as legal advice or a legal opinion. Readers should consult with legal counsel to obtain specific legal advice based on particular situations.