Last week, Tennessee Governor Bill Haslam signed into law SB 2005, which makes two amendments to the state’s data breach notification statute – effective July 1, 2016. With these amendments, Tennessee has joined a handful of other states that have strengthened – or are attempting to strengthen – their breach notification statutes in light of several high-profile breaches over the past few years.
The first amendment will require that businesses provide notice of a breach to affected Tennessee consumers no later than 14 days after discovery. Previously, the statute required that notice be provided “in the most expedient time possible and without unreasonable delay.” Notice may be delayed if a law enforcement agency determines that it would impede a criminal investigation, but then must be provided within 14 days after the agency has determined it will no longer compromise that investigation.
Additionally, the amendments clarify that the acquisition of personal information by employees who intentionally use the information for an unlawful purpose triggers the statute and its notice requirement.