Businesses in the State of Tennessee should take note of several significant changes to Tennessee's data breach statute that take effect for data breaches occurring on or after July 1, 2016.
Currently, Tennessee Code Annotated § 47-18-2107 states, among other things, that persons, businesses and government agencies in Tennessee that own or license computerized data containing personal information must disclose breaches of the security of their systems to Tennessee residents whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. Disclosures must be made "in the most expedient time possible and without unreasonable delay," subject to statutory qualifications. A similar requirement applies to "information holders" who maintain computerized data on behalf of others. Such information holders must notify owners or licensees of computerized data of breaches immediately following discovery.
The Tennessee General Assembly's recent enactment (S.B. No. 2005) changes the foregoing statute in several ways. First and very notably, the breach notification statue will no longer apply to entities subject to the Health Insurance Portability and Accountability Act ("HIPAA"), including covered entities and their business associates. This will be a welcome development for entities subject to HIPAA, including health care providers, health plans and the vendors who access patient information while providing services on their behalf. However, entities subject to HIPAA in some instances that also hold computerized personal information not subject to HIPAA should not assume that the Tennessee data breach statute is inapplicable to their operations across the board. Rather, they should seek advice regarding the application of federal and Tennessee law to particular business operations to ensure their compliance procedures are appropriately nuanced.
Second, and also highly significant, is the replacement of the current soft reporting timeframe with new reporting deadline language indicating that entities must provide breach disclosures "immediately, but no later than 45 days" after becoming aware of a breach. Entities that will remain subject to the Tennessee breach notification requirement should modify their data breach response procedures to take this new deadline into account.
Third, Tennessee entities should be aware that the word "unencrypted" has been deleted from the statute. Practically, this means that encryption of information will not automatically render a breach of such information not a breach for purposes of the statute. However, encryption may still be relevant in determining whether breach notification is required because of its potential impact on any determination of whether an unauthorized acquisition of data "materially compromises the security, confidentiality, or integrity of personal information."
Last but not least, the statute has been modified to state that an "unauthorized person" includes "an employee of the information holder who is discovered by the information holder to have obtained personal information and intentionally used it for an unlawful purpose." This change clarifies that breaches are not limited to acquisitions of information by outsiders. Internal breaches can result from the actions of employees, and entities should take steps to guard against the same.