Tennessee Data Privacy Laws

Data breach Notification Law – Applicable to any Information Holder as defined by TN law

  • T. C. A. § 47-18-2107 Breaches of security systems; definitions; notice. NOTE: The definitions have been amended twice since this law was enacted in 2013. Each version is linked below in reverse chronological order:
    • Effective April 4, 2017 to present:  Click here.  NOTES: The 2017 Legislature overhauled the definition of “Breach of the security of the system” in the prior version, which now reads as follows: “Breach of system security“: (A) Means the acquisition of the information set out in subdivision (a)(1)(A)(i) or (a)(1)(A)(ii) by an unauthorized person that materially compromises the security, confidentiality, or integrity of personal information maintained by the information holder: (i) Unencrypted computerized data; or (ii) Encrypted computerized data and the encryption key; and (B) Does not include the good faith acquisition of personal information by an employee or agent of the information holder for the purposes of the information holder if the personal information is not used or subject to further unauthorized disclosure.”
    • Effective July 1, 2016 through April 3, 2017:  Click here  for S.B. No. 2005.   NOTES: The original definition of “Breach of the security of the system” was amended by the 2016 TN Legislative Session to include both encrypted and unencrypted data.  In sum, the 2016 Legislature deleted the word “unencrypted” from the definition of “Breach of the security of the system”, resulting in the following definition at (a)(1): “Breach of the security of the system” means unauthorized acquisition of unencrypted computerized data that materially compromises the security, confidentiality, or integrity of personal information maintained by the information holder. Good faith acquisition of personal information by an employee or agent of the information holder for the purposes of the information holder is not a breach of the security of the system; provided, that the personal information is not used or subject to further unauthorized disclosure.”  For Wyatt HITECH Law blog articles discussing the 2016 Legislature’s amendment, click here, here, and here.
    • Effective August 5, 2013 through June 30, 2016Click here for the original version of the definitions under this law.
  • T. C. A. § 47-18-2108 Consumer report security freeze request, click here,
  • T. C. A. § 47-18-2109 Notice of right to security freeze, click here,
  • T. C. A. § 47-18-2110 Social security number protection; crime and punishment; exemptions; policy review, click here,
  • T. C. A. § 47-18-2111 Protected consumer security freeze, click here,

Consumer Protection Related to Identity Theft

  • T. C. A. § 47-18-2101 Tennessee Identity Theft Deterrence Act of 1999, click here.
  • T. C. A. § 47-18-2102 Definitions, click here.
  • T. C. A. § 47-18-2103 Prohibited Practices, click here.
  • T. C. A. § 47-18-2104 Private rights of Action, click here.
  • T. C. A. § 47-18-2105 Civil Penalties and Remedies, click here.
  • T. C. A. § 47-18-2106 Violation of Tennessee Consumer Protection Act, click here.

Public Agencies and Municipalities – Protecting Confidential Information of TN Citizens

  • T. C. A. § 47-18-2901 Security procedures; laptop computers or other removable storage devices, click here.

Video Tape Sellers or Service Providers – Protection of Personally Identifiable Information of Consumers

  • T. C. A. § 47-18-2201 Video Consumer Privacy Act, click here.
  • T. C. A. § 47-18-2202 Legislative findings, declaration, and intent, click here.
  • T. C. A. § 47-18-2203 Definitions, click here.
  • T. C. A. § 47-18-2204 Seller or service provider; disclosure of personally identifiable information concerning consumers, click here.
  • T. C. A. § 47-18-2205 Damages; liability, click here

Insurers and Agents – Limits on disclosure, redisclosure and reuse of non-public personal information 

  • Comp. R. & Regs. 0780-01-72-.04 Definitions, click here
  • Comp. R. & Regs. 0780-01-72-.11 Limits on disclosure of nonpublic personal information to nonaffiliated third parties, click here
  • Comp. R. & Regs. 0780-01-72-.12 Limits on redisclosure and reuse of nonpublic personal information, click here
  • Comp. R. & Regs. 0780-01-72-.13 Limits on sharing account number information for marketing purposes, click here