During the recent 110th Regular Session of the Tennessee General Assembly, Governor Bill Haslam signed into law an amendment to the Tennessee Identity Theft Deterrence Act of 1999.1
The previous version of the law required any person or business that conducts business in the state of Tennessee and that owns or licenses computerized personal information of Tennessee residents to notify such residents whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person. These persons or businesses were required to notify affected Tennessee residents within 45 days following discovery or notification of a breach, provided that a law enforcement agency may delay this notification requirement if it determines that notification would impede a criminal investigation.
This amendment, which unanimously passed both chambers of the Tennessee General Assembly:
- Clarifies that notification to affected Tennessee residents of a data breach must be made within 45 days following a determination by the applicable law enforcement agency that notification will not compromise the investigation;
- Adds exceptions to the definition of "personal information" for (i) information that has been redacted or otherwise made unusable, and (ii) encrypted information, provided that the encryption key for such information has not been acquired by an unauthorized person; and
- Changes the definition of an "unauthorized person" from "an employee of the information holder who is discovered by the information holder to have obtained personal information and intentionally used it for an unlawful purpose" to "an employee of the information holder who is discovered by the information holder to have obtained personal information with the intent to use it for an unlawful purpose."
The exception of encrypted information from the definition of protected personal information is consistent with similar breach notification statutes in other states and is a welcome confirmation of the scope of the statute. However, the change to the definition of "unauthorized person", for example, raises new uncertainties not previously present.
The revised definition of "unauthorized person" appears to obligate employers to provide notification when an employee obtains personal information and intends to use it unlawfully, but has not yet done so. This raises the issue of how could the act of obtaining the personal information but not using it constitute a "material" compromise of the "security, confidentiality, or integrity of the personal information" as set forth in the definition of "breach of system security," unless the act of obtaining the personal information by the unauthorized person itself constitutes a "breach of system security." If the latter is true, this change in the definition of "unauthorized person" may greatly expand required notifications under this law.