Effective July 1, 2016, Tennessee amended its data breach notification statute to require notification of a data breach to affected individuals regardless of whether the personal information involved in the security incident was encrypted. Prior to the new law, Tennessee’s statute had expressly exempted entities from notification requirements if the personal information involved in the security incident was encrypted. On July 1, Tennessee becomes the first state to remove its encryption safe harbor; there is still an ability to perform a risk analysis under the new law. This means that although there is not a blanket exception for encryption, it can still be considered as part of your risk analysis to determine if notification is necessary.

The amendment also requires businesses and government agencies to notify Tennessee residents affected by data breaches within 45 days of discovering the data breach. While the vast majority of states require notification in the “most expedient time possible” and “without unreasonable delay,” Tennessee becomes the eighth state to enact legislation that sets a specific time period for notification to affected individuals.

The new law also expands the definition of “unauthorized person.” Tennessee requires any information holder to disclose a breach of the security of the system to any resident of Tennessee whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person. According to the new law, “unauthorized person” now includes “an employee of the information holder who is discovered by the information holder to have obtained personal information and intentionally used it for an unlawful purpose.”

For additional information regarding data breach notification statutes enacted in the United States and worldwide, please refer to BakerHostetler’s State-by-State Survey of Data Breach Notification Laws, Key Issues in State Data Breach Notification Laws, and International Compendium of Data Privacy Laws.