Recent amendments to the State’s data breach statute give a hard deadline for a business to provide consumer notice, removes encryption safe harbor, exempts entities that are subject to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), and will require a business to report employees’ misuse of consumer data when done for illegal purposes
On March 24, Tennessee Governor Bill Haslam signed S.B. 2005 into law, amending the state’s data breach notification statute (Tenn. Code § 47-18-2107) and changing, among other things, the deadline by which Tennessee “information holders” – i.e. those persons or businesses that conduct business in state and own or license computerized data containing personal information –must notify residents when an “unauthorized person” gains access to their personal information.
When S.B. 2005 goes into effect on July 1, such businesses will have to give notice immediately, but no later than 45 days from discovery of a data breach unless a “longer period” is needed based on the legitimate needs of law enforcement. Similarly, any information holder that maintains computerized data on behalf of another must notify the data’s owner or licensee within 45 days of discovering a breach.
This new hard deadline will be a departure from the current law, which requires affected businesses to notify residents “in the most expedient time possible and without unreasonable delay,” but consistent with the need to determine the extent of a breach and restore integrity to affected data systems. Originally S.B. 2005 would have required notification within 14 days, but the bill was revised to give businesses a more reasonable timeframe to alert residents.
Encryption Safe Harbor Eliminated
The amendment also jettisons Tennessee’s encryption safe harbor from the date breach notification statute, which currently exempts information holders from having to notify residents of a breach if the covered information was encrypted. This is a significant departure from current law, and will require consumer notification regardless of whether business owners have encrypted the information if there is a breach that materially compromises the security, confidentiality, or integrity of personal information maintained by the information holder.
Although the Tennessee General Assembly provides a summary stating that “a breach of the security system includes the unauthorized acquisition of all computerized data, whether encrypted or unencrypted,” there may be good arguments that the disclosure of strongly encrypted data without the key would not materially compromise the personal information. As a result, businesses should review the types of encryption they are using to secure information to ensure that it is considered “strong,” as well as how they secure their encryption keys.
"Unauthorized Persons" Clarified to Include Bad-Acting Employees
Amendments to S.B. 2005 also expand the statute’s definition of “unauthorized person” to include any employee who the affected information holder believes has obtained a resident’s personal information and intentionally used it for “unlawful purposes.” This change is a minor clarification to the meaning of “unauthorized person” and likely will not affect information holders’ current reporting obligations: while Tennessee’s statute exempts “good faith acquisitions” of personal information from the definition of a data breach, taking such information for illegal purposes has always required notification to affected persons.
GLBA and HIPAA-Subject Entities Exempted from Law
Finally, the amendment exempts businesses and persons that are subject the Health Insurance Portability and Accountability Act (HIPAA) as expanded by the Health Information Technology for Clinical and Economic Health Act (HITECH Act) from having to comply with Tennessee’s data breach notice law in the event of a breach. Presently entities subject to the Gramm-Leach-Bliley Act (GLBA) do not have to comply with the statute.
What's the Next Step for Businesses?
The effectiveness of an information holder’s response to a data breach may be determined by how up-to-date their breach response policies and procedures are. Thus, businesses and all other entities that are subject to Tenn. Code § 47-18-2107 should use this time to ensure that they will be prepared for when the S.B. 2005 takes effect on July 1:
- Revise breach notification policies and procedures in light of S.B. 2005. As the Department of Justice stated last year in its cyber incident response guidance, “A cyber incident is not the time to be creating emergency procedures or considering for the first time how best to respond.” Consequently, businesses should not wait until they suffer a data incident to check whether their breach notification policies are up-to-date.
Instead, businesses that operate in Tennessee will need to update their breach notification procedures prior to July 1 to incorporate the new 45-day notification deadline and the end of the statute’s encryption safe harbor. On the other hand, HIPAA-subject businesses and persons in the state will need to account for S.B. 2005’s compliance exemption in their breach notification procedures.
- Consider Employing Knowledgeable Outside Counsel to Coordinate Breach Responses. Additionally, companies should weigh whether to use outside counsel to help coordinate its consumer notification response in the event they suffer a data breach. An effective data breach response is often a costly and confusing enterprise for affected businesses. Indeed, with the patchwork system of 51 state and territorial data breach notification standards across the country, trying to mitigate the effects of a breach while simultaneously determining which state notice requirements apply and coordinating an effective response can be daunting for a company to tackle on its own. Employing outside counsel knowledgeable and experienced in conducting breach responses in accordance with the various data breach notification statutes can help your business ease its compliance burdens while meeting its responsibilities under applicable state and territorial breach notice laws.