An amendment to the Tennessee’s data breach notification statute has eliminated a provision requiring notice only in the event of a breach of unencrypted personal information. Accordingly, it appears that Tennessee is the first state in the country to require breach notification regardless of whether the affected information was encrypted. The amendment (S.B. 2005), signed by Governor Bill Haslam on March 24, 2016, will take effect on July 1, 2016.
The amendment also requires notification of a data breach to be provided to any affected Tennessee resident within 45-days after discovery of the breach (absent a delay request from law enforcement). Previously, Tennessee’s statute, similar to the data breach laws of the vast majority of other states, had required disclosure of a breach to be made in the most expedient time possible and without unreasonable delay. Florida is another state that has amended its breach notification statute to require notification within a set time (30 days) after discovery of a breach.
Finally, the amendment adds a section stating that an “unauthorized person” includes an employee of the information holder who is discovered to have obtained personal information and intentionally used it for an unlawful purpose. This amendment likely is focused on entities that failed to provide notification of data incidents that were the result of improper access by employees.