Tennessee Enacts Tough Data Breach Law

    May 24, 2016

    As of July 2016, Tennessee will be the first state to abolish the “encryption safe harbor” rule, giving it the honor of having the strictest data breach law in the United States, according to data privacy experts.

    Encryption safe harbor requires companies who suffer a data breach to notify customers only if the exposed data was unencrypted. However, Tennessee’s amended Identity Theft Deterrence Act of 1999, effective July 1, requires notification even if the breached data was encrypted, according to a Corporate Counsel report. The rule requires notice of a data breach to be reported to affected individuals within 45 days unless law enforcement needs more to investigate.

    It’s a change that could set a precedent, according to a report from New York-based legal firm Jackson Lewis P.C. Tennessee will be the first state in the country to require breach notification regardless of whether or not the breached data was encrypted.

    The revision also establishes a deadline for notification of a breach. Before, like most other states, Tennessee law required disclosure of a breach to be made in the most expedient time possible and without unreasonable delay. Only a few states, including Florida, have established a set notification time period.

    Lastly, the bill amends the statute to specify that an “unauthorized person” includes an employee of the information holder who is discovered to have obtained personal information and intentionally used it for an unlawful purpose. According to Jackson Lewis, this amendment is likely focused on people who failed to provide notification of data breaches that resulted from improper access by employees.

    Some lawyers believe the revised rules will place an undue burden on companies.

    “If you’re a company with a laptop stolen in Tennessee, you really have to ask yourself how you’re going to demonstrate that the bad guys” aren’t going to get access to certain information. Whereas in every other state, “you just have to show that the data is encrypted,” Stephen Embry of Frost Brown Todd told Corporate Counsel.

    The law doesn’t require notice without question in all circumstances, but experts say the law in Tennessee now makes a distinction between strong and weak encryption that other states are not making, Corporate Counsel reported.  


    © 2017, ARMA International