Tennessee’s Data Breach Law Drawing National Attention

flash driveBy Kathie McDonald-McClure

We recently posted an article about Tennessee’s amendment to its data breach notification law.  This amendment has drawn much attention among cyber security professionals and corporate general counsel across the country.  As Jennifer Williams-Alvarez reported in her article for Corporate Counsel magazine, cyber security was a plenary session topic at the 2016 Association of Corporate Counsel (ACC) Mid-Year Meeting in New York City this week.  See “At ACC Event, Experts Say Data Breaches Are Inevitable. So Now What?”, Corporate Counsel (April 14, 2016)(Read more: here).  In fact, an ACC Foundation report on the “State of Cybersecurity”, released in December 2015, said one-third of in-house counsel reported that their companies experienced a data breach and more than one-half reported increased spending in cybersecurity.

Matt San Roman and I spoke with Ms. Williams-Alvarez this morning.  She is working on a follow-up article regarding the amendments (HB2005 and SA0618) to the Tennessee data breach law.  When the article is published, we will provide a link here for those of you who are not currently Corporate Counsel subscribers.  Stay tuned . . .

Tennessee Amends Data Breach Notification Law – Removes Encryption Exemption (or does it?)

By Kathie McDonald-McClure and Matt San Roman

data-breaches-notification

On March 24, 2016, Tennessee Governor Bill Haslam signed into law SB2005 as amended by SA0618, revising the Tennessee Identity Theft Deterrence Act of 1999, currently codified at T. C. A. § 47-18-2101, et seq.  Under the revised law, organizations subject to the law that experience a data breach will be required to notify affected individuals in Tennessee “immediately” and no later than 45 days from the discovery or notification of a security breach of computerized personal information, unless a law enforcement investigation related to the breach requires a delay in notification. While most similar state laws refrain from mandating a definite period within which to provide notification to affected individuals or state agencies, Tennessee, effective July 1, 2016, will join seven other states in requiring notification within a specific time.

Perhaps more notably with this amendment, Tennessee “may” be the first state in the United States to remove the encryption safe harbor.* The 46 other state data breach notification laws require notification to affected individuals if Continue reading