On March 24, Tennessee enacted a law amending its breach notification law, originally enacted in 2005. The new amendment requires businesses and government agencies to notify citizens affected by data breaches within 45 days of discovering the breach. Exceptions to the 45-day time limit will be allowed only when required for law enforcement purposes. The amendment also specifies that unauthorized access of information by employees of the business or agency that holds the information triggers the 45-day notification requirement.
Tennessee now joins five other states—Ohio, Rhode Island, Vermont, Washington, and Wisconsin—in mandating a 45 day deadline for data breach notification. Quicker deadlines are found only in Florida, which has a deadline of 30 days, Vermont which requires preliminary notification to the Attorney General’s Office within 14 days (unless an affirmation has been filed to permit waiver of the preliminary notice deadline), and Puerto Rico that requires notification to the Department of Consumer Affairs within 10 days. The California Attorney General’s Office also recommends notice within 10 business days.
The Tennessee law, as enacted with the new amendments, also refined the definition of a “breach of the security of the system,” as the “unauthorized acquisition of computerized data that materially compromises the security, confidentiality, or integrity of personal information maintained by the information holder.” The amendment removed the word “unencrypted” from the definition. However, Tennessee, like most other states, still explicitly recognizes a breach must “compromise” the affected data.
The Tennessee amendments also add to the law’s existing exception for entities covered by Title V of the Gramm-Leach-Bliley Act, so that entities covered by the Health Insurance Portability and Accountability Act (HIPAA) are also exempt from the law.