Joining Rhode Island with a breach notice law amendment effective in 2016, Tennessee’s data breach notification law will require businesses and government agencies in Tennessee to notify state residents within 45 days of discovering a data breach, effective July 1, 2016. The amendment also expands the definition of an unauthorized person to include employees of the information holder, if the employees obtain and use personal information for an unlawful purpose.
The amendment also removes the qualification that disclosure must be made if unencrypted personal information has been breached. As amended, notice will need to be made if computerized personal information has been breached, regardless of whether that information was or was not encrypted. It is worth noting that encryption was not defined in the law prior to the amendment. This wording change may have relatively little impact on how a company moves forward from a practical perspective. Instead, companies when assessing their breach notice obligations might continue to examine whether a breach has occurred, namely if there has been “unauthorized acquisition of computerized data that materially compromises the security, confidentiality, or integrity of personal information maintained by the information holder.” (Emphasis added.)
A redline highlighting the changes is available here.
TIP: The change in Tennessee’s laws demonstrates that states are continuing to tweak their breach notice laws, requiring companies to maintain on an ongoing basis updates to their incident response plans.