Apr 42016

Tennessee Amends Breach Notification Law

Colleen Theresa Brown and Fran Faircloth
, , , ,

On March 24, Tennessee enacted a law amending its breach notification law, originally enacted in 2005. The new amendment requires businesses and government agencies to notify citizens affected by data breaches within 45 days of discovering the breach. Exceptions to the 45-day time limit will be allowed only when required for law enforcement purposes. The amendment also specifies that unauthorized access of information by employees of the business or agency that holds the information triggers the 45-day notification requirement.

Tennessee now joins five other states—Ohio, Rhode Island, Vermont, Washington, and Wisconsin—in mandating a 45 day deadline for data breach notification.  Quicker deadlines are found only in Florida, which has a deadline of 30 days, Vermont which requires preliminary notification to the Attorney General’s Office within 14 days (unless an affirmation has been filed to permit waiver of the preliminary notice deadline), and Puerto Rico that requires notification to the Department of Consumer Affairs within 10 days.  The California Attorney General’s Office also recommends notice within 10 business days.

The Tennessee law, as enacted with the new amendments, also refined the definition of a “breach of the security of the system,” as the “unauthorized acquisition of computerized data that materially compromises the security, confidentiality, or integrity of personal information maintained by the information holder.” The amendment removed the word “unencrypted” from the definition.  However, Tennessee, like most other states, still explicitly recognizes a breach must “compromise” the affected data.

The Tennessee amendments also add to the law’s existing exception for entities covered by Title V of the Gramm-Leach-Bliley Act, so that entities covered by the Health Insurance Portability and Accountability Act (HIPAA) are also exempt from the law.

Colleen Theresa Brown

Washington, D.C.

cbrown@sidley.com

Fran Faircloth

ffaircloth@sidley.com

You might also like
UK GDPR Reform Is Back! Department of Science, Innovation and Technology Introduces New Data Protection and Digital Information Bill

On 8 March 2023, the newly created Department of Science, Innovation and Technology (“DSIT”) introduced the Data Protection and Digital Information (No. 2) Bill. The “Bill” is in substance a re-introduction of the previous Data Protection and Digital Information Bill which was withdrawn from Parliament on the same day as the new Bill was published. The Bill, which has been hailed by the UK Government as one that will “save billions” and “cut down pointless paperwork” is the UK’s latest attempt to create a more streamlined piece of data protection legislation for the UK whilst still “ensur[ing] data adequacy.” The Information Commissioner’s Office (“ICO”) also welcomed the re-introduction of the Bill, with the Commissioner stating that he would “support [the Bill’s] ambition.” While much of the Bill remains the same as its previous iteration, we set out the key provisions and notable amendments below.

Biden Administration Announces National Cybersecurity Strategy

On March 1, 2023, the Biden administration announced its long-awaited National Cybersecurity Strategy. The strategy is part of the administration’s efforts to bolster and modernize public and private responses to cybersecurity threats.

FCC Proposes Updated Data Breach Reporting Requirements, Comment Period Ongoing

On January 6, 2023, the Federal Communications Commission (the Commission) released a unanimously adopted Notice of Proposed Rulemaking, “In the Matter of Data Breach Reporting Requirements” (Proposed Rule).  The Commission sought comments through February 22, 2023 on the Proposed Rule which will update its current data breach reporting rule. Reply comments are due on or before March 24, 2023.