Tennessee Eliminates Encryption Safe Harbor from Data Breach Notification Law
Tennessee is the first state in the nation to require notice to consumers even if the personal information exposed in a data breach is protected by encryption. On March 24, 2016, Governor Bill Haslam signed into law an amendment that discards a provision in the data breach notification law requiring notice only in the event of a breach of unencrypted information.
Senate Bill 2005 also places a new time limit on notifying affected residents. Private entities must notify affected Tennessee residents of a data breach within forty-five (45) days after the entity discovers or is notified about the breach. This forty-five-day deadline for private entities to notify residents is among the shortest in the country. Additionally, the Tennessee amendment expands the definition of “unauthorized person” to include an employee of the information holder who is discovered to have obtained personal information and intentionally used it for an unlawful purpose. The law takes effect July 1, 2016.
Most state data breach notification statutes require notification to an affected consumer, the state attorney general, or a state agency when a private entity or state agency discovers the unauthorized acquisition or access to unencrypted or unredacted personal information data. In other words, the disclosure of unencrypted data triggers the breach notification statutes. Other state statutes do not specifically require encryption, but instead require that the data be "rendered secure" or "unusable" by an unauthorized third party in order to avoid triggering the notification obligation.
California, a widely recognized trendsetter in data privacy law, has adopted encryption safe harbor. Many states that eliminate a private entity's obligation to notify on the condition that data is properly encrypted do not, however, define or elaborate on the acceptable method for encryption or redaction. California very recently defined encryption in Senate Bill 570, which went into effect on January 1 of this year. Personal information is "encrypted" if it is rendered "unusable, unreadable, or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security." This clarification provides some guidance for handling electronically stored personal information. Private companies desiring to avoid costly notifications should consider whether properly implemented encryption measures protect the company's electronically stored information.
Click here to find S.B. 2005.
 See S.B. 2005, 2016 Leg., 109th Gen. Assemb., Reg. Sess. (Tenn. 2016), available at http://www.capitol.tn.gov/Bills/109/Bill/SB2005.pdf.
 See 2015 Cal. Legis. Serv. Ch. 543 (S.B. 570).
 See Cal. Civ. Code § 1798.82(i)(4).
For more information, contact:
The articles published in this newsletter are intended only to provide general information on the subjects covered. The contents should not be construed as legal advice or a legal opinion. Readers should consult with legal counsel to obtain specific legal advice based on particular situations.