On July 1, 2016, Tennessee’s new notice requirements for breaches of data security systems which compromise an individual’s personal information will take effect. The amendments to Tennessee’s current rules, found at T.C.A. sec. 47-18-2107, expand the type of breaches which must be reported, and establish a deadline for when notice to affected individuals must be given. As result, Tennessee has some of the toughest notice requirements in the nation.
Under the current standard, in effect at the time of this blog, a business is required to only disclose a breach of an unencrypted security system which puts personal information at risk. This means that a business does not need to disclose the breach of an encrypted security system.
Also, the current standard requires notice to be given “in the most expedient time possible,” but does not set a deadline. Notice may be delayed if it will impede a criminal investigation. In that case, notice must be given only “after” law enforcement determines it will not compromise the investigation. But again, there is no deadline. Of course, these open ended standards amount to almost no standard at all.
The amendments to the notice statute (S.B. 2005) eliminates the safe harbor for a breach of an encrypted security system. Beginning on July 1, 2016, businesses will be required to notify affected Tennessee residents of any security system breach, whether encrypted or unencrypted, which jeopardizes an individual’s personal information.
The amendments also require that notice of a breach be made within 45 days from discovery of the breach. Like the current standard, the new standard allows notice to be delayed due to a criminal investigation, but it must be made no later than 45 days after law enforcement determines that it will no longer compromise the investigation.
Finally, the amendments expand the scope of who is an “unauthorized person” that wrongfully acquires an individual’s personal information. An unauthorized person now includes a business’ employee who intentionally uses personal information for an unlawful purpose. This definition clarifies that a breach occurs even when personal information is accessed by an authorized individual, but uses that information for any reason outside the scope of his or her employment.
Under both the current and amended version of the notice statute, “personal information” subject to the notice requirements includes an individual’s first name or first initial and last name combined with the individual’s unencrypted (1) social security number, (2) driver license number, or (3) account number or bank card number in combination with a security or access code, or password that would permit access to the individual’s financial account.
The amended statute retains the notification methods of the current statute: (1) written notice, (2) electronic notice consistent with the provisions in 15 U.S.C. sec. 7001; and (3) in limited situations, substitute notice, including e-mail, posting on the business’ web site, and notice in a statewide media. A business also retains the right to give notice consistent with its own security policy for the treatment of personal information, so long as notice is given in the timeframe required by the amended statute.
Affected individuals also retain the right under the amended statute to bring an action against a business for failing to give notice or otherwise comply with the terms of the amended statute.
Finally, the amended statute expands entities excluded from the notice requirements to include any person subject to Title V of the Gramm-Leach-Briley Act of 1999 or HIPAA.
In light of the increased burden for notifying individuals of a breach which affects personal information, businesses should re-examine their security systems, internal polices for accessing personal information, and any existing notice policies to ensure compliance with the new law which will take effect on July 1, 2016.