Tennessee Amends Breach Notice Statute: Sets Notice Deadline, Eliminates Encryption Safe Harbor


Tennessee recently amended its data breach notification law, and in doing so, it has joined the ranks of states like Florida, Ohio, and Wisconsin that require notification to residents of a data breach within a defined time period.  When the law becomes effective on July 1, 2016, the statute will require notice to Tennessee residents within forty-five (45) days after discovery that personal information has been acquired by an “unauthorized person,” even if the information is encrypted.  The original amendment required notice within fourteen (14) days, but the bill was subsequently amended to expand the deadline to 45 days.

Even with the 45-day timeline, Tennessee’s amended notice statute will be among the most demanding in the nation.  The law does not permit delays for remediation or investigation of a breach unless a law enforcement agency determines that notification will impede a criminal investigation, and even then, notice must be made within 45 days after law enforcement determines that notification will no longer compromise an investigation.

The 45-day notice window is not the only substantial change to the Tennessee law.  Currently, a company need not provide notice to consumers whose personal information was affected in a breach if that information was encrypted (commonly referred to as an "encryption safe harbor").  The amendments do away with the encryption safe harbor and require notice even if personal information was protected by encryption.  Finally, the amended statute makes clear that an employee may be an “unauthorized person” for purposes of the statute if that employee intentionally uses the personal information for an unlawful purpose.

If your business has personal information about Tennessee residents, it may be prudent to revisit your incident response plan to make sure that it provides for notice within the new 45-day window.  For those keeping score, the following state notification laws now include a statutorily-required timeline for notification to consumers, state regulators, or both:

  • Connecticut
  • Florida
  • Louisiana
  • Maine
  • Ohio
  • Rhode Island
  • Tennessee
  • Vermont
  • Washington
  • Wisconsin

In order to meet these timelines, it is imperative that a company understands which service providers and systems store personal information, monitor for system compromises, define service provider obligations in the event of a compromise, and have plans and vendors lined up to efficiently handle a data breach response.  Also, consider taking steps to account for the possibility that you may not always be able to meet the 45-day notice deadline, notwithstanding your best laid plans.  By establishing relationships with regulators and law enforcement authorities before a breach happens, you may be able to buy your company valuable time in the event of a crisis.