Amended Security Breach Law in the State of Tennessee

Tenn. Code §§ 47-18-2107; 8-4-119 is a data breach notification law that was passed in the U.S. state of Tennessee in 2017. Tenn. Code §§ 47-18-2107; 8-4-119 amends previous data breach notification legislation within Tennessee and provides residents of the state with updated protection as it concerns said breaches. With this being said, Tenn. Code §§ 47-18-2107; 8-4-119 sets forth the requirements that business entities and organizations are required to adhere to in the event that a security breach occurs. Furthermore, the law also gives the Tennessee Attorney General the authority to levy sanctions and penalties against businesses and organizations that fail to comply with the law.

How are security breaches defined under Tenn. Code §§ 47-18-2107; 8-4-119?

Under Tenn. Code §§ 47-18-2107; 8-4-119, a security breach is defined as “the acquisition of the information set out in subdivision (a)(1)(A)(i) or (a)(1)(A)(ii) by an unauthorized person that materially compromises the security, confidentiality, or integrity of personal information maintained by the information holder.” On the contrary, the “acquisition of the information by an employee or agent for the use of the information holder is considered to be in good faith and not a breach of data security, as long as the information is not subject to any unauthorized disclosure.” To this point, the law defines an information holder as “any person or business that conducts business in this state, or any agency of this state or any of its political subdivisions, that owns or licenses computerized personal information of residents of this state.”

What are the data breach notification requirements under Tenn. Code §§ 47-18-2107; 8-4-119?

One of the primary reasons why Tennessee’s data breach notification law was amended was to extend the period of time under which any entity within the state was required to provide data breach notification to affected residents. Under Tenn. Code §§ 47-18-2107; 8-4-119, entities within the state must provide notification to all affected individuals and parties in the event that a security breach, within 14 days of discovering that a breach occurred. However, the law also states that this time period may be extended by 45 days, in instances where an extension is legitimately required by law enforcement. These notifications must provide affected individuals with information concerning the scope and extent of the breach, as well as the information that was compromised, among other pertinent details.

Alternatively, Tenn. Code §§ 47-18-2107; 8-4-119 also permits businesses and organizations to provide affected individuals with substitute data breach notifications, albeit under certain circumstances. Such circumstances include the following:

• The cost of providing standard data breach notification would exceed $250,000.
• The number of individuals that have been affected by the breach exceeds 500,000.
• The affected business or organization does not have sufficient contact information to provide standard notifications.

What categories of personal information are protected under Tenn. Code §§ 47-18-2107; 8-4-119?

Under Tenn. Code §§ 47-18-2107; 8-4-119, the following categories of personal information are legally protected in the event of a data breach, in combination with a Tennessee resident’s first and last name or first initial and last name, in instances where these data elements have not been encrypted:

• Social security numbers.
• Drivers license numbers.
• Financial account numbers.
• Credit and debit card numbers, as well as any passwords, security codes, access codes, or PIN numbers that could be used to gain access to an individual’s financial account.

In terms of the enforcement of Tenn. Code §§ 47-18-2107; 8-4-119, the provisions set forth in the law are enforced by the Tennesse Attorney General. To this end, the Tennesse Attorney General has the authority to impose numerous penalties against businesses and organizations within the state that are found to be in violation of the law. For example, Tenn. Code §§ 47-18-2107; 8-4-119 provides Tennesse residents with the right to “file a private lawsuit and institute a civil action to recover actual damages due to the information holder violating the amendment, along with costs and attorney fees. They may also be subject to additional penalties and more under the Tennessee Consumer Protection Act.”

In conjunction with amendments made in 2017, Tenn. Code §§ 47-18-2107; 8-4-119 represents the foremost legal framework for governing data breach incidents within the state. Through this legal framework, residents of the state of Tennessee can seek both justice and compensation in the event that their personal information is compromised during a security breach. As the passing of a comprehensive data protection law on the federal level continues to stall, legislation such as Tenn. Code §§ 47-18-2107; 8-4-119 will likely serve as the main deterrent for the average American citizen as it pertains to security breaches.