Tennessee has amended its breach notification law to require notice within 45 days of discovery of a breach. This continues a trend of states’ imposing stricter time limits on notification. The new law also removes the exception from the notification requirement for encrypted information, so notification now must be made even if the data is encrypted. It also expands the notification requirement to specifically cover acquisition of personal information by an employee, if the employee intentionally used the information for an unlawful purpose. The only bone thrown to businesses was a provision exempting entities subject to the Gramm-Leach-Bliley Act or HIPAA, which have their own notification requirements. The new requirements take effect July 1, 2016.