In February 2021, state legislators introduced an amendment to Tennessee’s data breach law to extend the notice from 45 to 60 days. Tennessee’s data breach law is contained within the Tennessee’ Identity Theft Deterrence Act (T.C.A. § 47-18-2107). You can read our detailed article on the existing data breach law and its notification requirements in our previous article, linked here.
Currently, the Tennessee’s data breach law requires that notice be given to effected Tennessee residents within 45 days of discovering a “breach of system security” that permitted an unauthorized person to acquire the residents data. In February 2021, state Senator John Stevens and Representative Scott Cepicky introduced a proposed amendment to the law to extend the notice requirement timeline from the currently required 45 days to 60 days. This short proposed amendment reads:
BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF TENNESSEE:
SECTION 1. Tennessee Code Annotated, Section 47-18-2107(d), is amended by deleting the language “forty-five (45) days” and substituting instead the language “sixty (60) days”.
SECTION 2. This act takes effect upon becoming a law, the public welfare requiring it.
The proposed amendment has passed the initial consideration phase, and is currently in committee. Other state’s data breach laws range from “without unreasonable delay” to 30 to 90 days. However, given the realistic time it takes to investigate and respond to a potential data breach, this additional 15 days before notice is required would provide valuable additional time for a more thorough investigations into the breach, and would be a welcome additional for many Tennessee businesses.
You can track the status of the proposed amendment on the Tennessee General Assembly’s Website.