Tennessee Expands Data Breach Reporting Obligations

Amendments to Tennessee’s Data Breach Notification law will take effect July 1, 2016. The amendments, passed into law as H.B. 1631, and signed into law by Governor Bill Haslam earlier this spring, significantly tighten the notification requirements with respect to personal data regarding Tennessee Residents.

47 states, as well as the District of Columbia, have data breach notification laws on the books. While there are variations between the different states, they generally require that a company, upon learning of breach of security involving “personal information,” notify affected residents of that breach. “Personal information” is typically defined as an individual’s first name or first initial and last name, in combination with a social security number, driver license number, or financial account number, in combination with required password that would permit access to the account. “Breach” is typically defined as unauthorized access to unencrypted data, when there is a reasonable belief that the breach has caused or will cause injury, or poses a significant risk of identity theft. The notification must generally be made in the most expedient time possible. In certain cases, notification to state agencies is also required.

Prior to the passage of H.B. 1631, Tennessee’s data breach notification law contained these typical provisions. The new amendments impose additional notification requirements, as described below.

45 day timeline

Prior to the amendment, Tennessee required that notification of a breach be made “in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement … or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.” The amended law requires that notification be made “immediately, but no later than forty-five days from the discovery or notification of the breach, unless a longer period of time is required due to the legitimate needs of law enforcement.” Rather than being afforded a “reasonable” period in which to determine the scope of the breach and fix it, companies must now investigate the breach and make notification by a specific deadline.

Removal of safe harbor for encrypted data

Like other states’ breach notification laws, Tennessee’s law previously defined a “breach” as the “unauthorized acquisition of unencrypted computerized data that materially compromises the security, confidentiality, or integrity of personal information maintained by the information holder.” (Emphasis added). In the amended law, the word “unencrypted” has been deleted. This change significantly expands the circumstances under which notification is required by Tennessee law.

Adds definition of “unauthorized person”

Although the law had always required notification of a breach in which personal information was reasonably believed to have been acquired by an unauthorized person, the term “unauthorized person” was not previously defined in the law. The amended law inserts language making clear that “unauthorized person” “includes an employee of the information holder who is discovered by the information holder to have obtained personal information and intentionally used it for an unlawful purpose.”

Tennessee’s move to expand the breach notification obligation to breaches in which encrypted, as well as unencrypted information is compromised comes at a time when data breaches continue to be in the news. The experience of LinkedIn is illustrative. In 2012, the company suffered a breach that it believed affected 6.5 million encrypted passwords. Last month, it was reported that hackers were trying to sell the credentials for 117 million LinkedIn accounts, including email addresses and passwords. The hackers stated that the data had been stolen during the 2012 breach, and the encrypted passwords had been cracked.

It remains to be seen whether other states will follow Tennessee’s lead and add additional requirements to their existing breach notification laws. It serves as yet another reminder of companies’ need to be vigilant in protecting personal data they maintain, and in promptly responding in the event a breach nevertheless occurs.