On March 24, 2016, Tennessee Governor Bill Haslam signed into law SB2005 as amended by SA0618, revising the Tennessee Identity Theft Deterrence Act of 1999, currently codified at T. C. A. § 47-18-2101, et seq. Under the revised law, organizations subject to the law that experience a data breach will be required to notify affected individuals in Tennessee “immediately” and no later than 45 days from the discovery or notification of a security breach of computerized personal information, unless a law enforcement investigation related to the breach requires a delay in notification. While most similar state laws refrain from mandating a definite period within which to provide notification to affected individuals or state agencies, Tennessee, effective July 1, 2016, will join seven other states in requiring notification within a specific time.
Perhaps more notably with this amendment, Tennessee “may” be the first state in the United States to remove the encryption safe harbor.* The 46 other state data breach notification laws require notification to affected individuals if personal information accessed by an “unauthorized person” was unencrypted or if the information was encrypted but the key to the encryption was compromised. But, arguably, no such safe harbor exists in Tennessee as of July 1, 2016. The question is, “What was the justification for removing the encryption safe harbor, if it indeed has been removed?” *(see the footnote at the end of this post)
During the bill’s consideration, on March 1, 2016, the bill’s sponsor, state Sen. Bill Ketron (R)(Murfreesboro) told the legislature that the change was needed because “more and more of these breaches involve encrypted data because the cyber threat is growing more sophisticated” and that “the encrypted data is now being stolen almost as easily as the unencrypted [data].” Certainly, a mobile device that contains encrypted data can be just as easily stolen or lost as a mobile device that contains unencrypted data. However, there was no discussion or evidence presented to support the assertion that encrypted data could be deciphered by hackers as easily as unencrypted data, at least not that was recorded on the floor of the Senate or House. (The bill’s legislative video history is available here.)
Interestingly, on February 28, 2016, only two days before Sen. Ketron presented SB2005, the United States Department of Justice (DOJ) had filed a motion to force Apple to break the encryption on the iPhone in the San Bernardino terrorist case. The DOJ asserted that it could not break the iPhone’s encryption. The DOJ’s demand of Apple supported the long-held view that encryption is the “gold standard” for protecting data and, ironically, federal agencies have urged the use of encryption for sensitive, personal information. (The United States Office for Civil Rights, which is responsible for enforcing the security of protected health information under HIPAA, is one such agency.) But now that the DOJ cracked the San Bernardino iPhone’s encryption without Apple’s help after all, one might say the Tennessee Legislature was ahead of the curve in unanimously passing SB2005 to require notification for the unauthorized acquisition of both encrypted and unencrypted computerized personal information.
Perhaps the Tennessee legislature is correct. The test under the new Tennessee law when an incident occurs will be whether there has been:
- an unauthorized acquisition
- of computerized data
- that materially compromises
- the security, confidentiality or integrity
- of personal information
- maintained by the information holder.
If the purpose of a data privacy law is to protect an individual’s personal information it should not matter whether the information is encrypted or not. The real issue is whether the integrity of that personal information has been materially compromised by unauthorized access.
Encryption is supposed to prevent a compromise because it renders the data indecipherable and unreadable. If the encrypted San Bernardino iPhone 5c can be hacked, is encryption now irrelevant to the data compromise analysis? If the method employed to crack the iPhone 5c’s encryption can be readily employed to any encryption method, then perhaps it is – but if not, then encryption is still relevant. The United States Defense Secretary Ash Carter certainly thinks encryption is still relevant and essential. See Reuters Business Insider, “Pentagon needs data security, strong encryption: U.S. defense chief” by Andrea Shalal (March 1, 2016).
Assuming encryption is still relevant (and that the encrypted personal information at issue is not on an iPhone 5c for which a backdoor presumably has been developed), is there another reason to be concerned when encrypted personal data is lost or stolen? Perhaps there is, according to Kurt Hagerman, the Chief Information Officer for Armor, a cyber defense firm. Writing for HealthITNews in 2015, Hagerman described why encryption has been recognized as the gold standard:
If you’ll recall, previously we examined why encryption is considered the gold standard in protecting [electronic protected health information] and looked at methods for encrypting data in transit and at rest. There’s no doubt that encryption is a fantastic security measure that can make it almost impossible to decipher data when attacked. [Encryption is] considered such a strong protection that it allows organizations to avoid characterizing a security incident as an actual data breach, as long as the lost data is encrypted and the encryption keys were not included in the loss. (Emphasis added.)
HealthITNews, “The ultimate breach insurance policy: encryption” by Kurt Hagerman (March 26, 2015).
However, as Hagerman points out in a two-part series about encryption, not all methods of encryption are equal:
The most important consideration here is selecting what is considered “strong encryption.” Most regulatory requirements mandate the use of strong encryption without providing specific guidance for what that means.
The amendment to the Tennessee law, in essence, addresses situations where the information holder used weak encryption for personal information. Nevertheless, what is important is to assess the methods you are using to protect personal information so that if you are required to apply the above 6-step test under Tennessee law, you can determine there has not been a material compromise. Before opting not to notify, however, businesses should consult with legal counsel as well as with an outside data encryption expert retained by such counsel.
The amendment to the Tennessee data breach law also makes it clear that even employees of information holders can be considered an “unauthorized person” triggering the information holder’s notification obligation if such employee intentionally uses personally identifiable information obtained through his or her employment in an unlawful manner.
Finally, while all Tennessee businesses holding their employees’ and customers’ sensitive personal information should be aware of these heightened notification requirements, the amendment also exempts any person or entity that is subject to the federal Health Insurance and Portability Act of 1996 (“HIPAA”), as expanded by the federal Health Information Technology for Economic and Clinical Health Act (“HITECH”).
*Footnote: We note that the amendment to the TN data breach law did not amend the definition of “personal information” (T.C.A. § 47-18-2107(3)). As a result, arguably, only “personal information” that is not encrypted would be subject to a data breach analysis and, thus, the deletion of the word “unencrypted” from the definition of a “breach of the security of the security of the system” would have no impact. This defeats the clearly expressed intent of the amendment, as expressed on the TN Senate floor by the bill’s sponsor, to include both encrypted and unencrypted computerized personal information within the analysis of whether there has been a breach. Whether a correction will be made (or even can be made) before codification of the amendments remains to be seen. Stay tuned . . .