Tennessee’s data breach notification law requires “information holders” to notify residents of Tennessee within 45 days when their personal information was acquired, or reasonably believed acquired, by an unauthorized person following a “breach of system security”.
As of 2020, every state has a law that requires notifying residents when their personally identifiable information is affected by a data breach. The various state data breach laws share similarities, but the nuances often vary. Commonly, notification timing, the harm standard, and access vs acquisition requirements vary between states. Additionally, while most states only apply notification laws to breaches of electronic information, some do cover paper records as well. Thus, an organizations must look to the specific laws in each state where each affected person resides to determine the organization’s legal obligations. The rules governing a data breach in Tennessee come from Tennessee’ Identity Theft Deterrence Act.
Identity Theft Deterrence Act – Release of personal consumer information
Tennessee’s data breach notification law was enacted in 2005, and it is contained within the Identity Theft Deterrence Act of the Tennessee Consumer Protection Act. (T.C.A. § 47-18-2107). Under the Act, “information holders” are required to notify Tennessee residents within 45 days when their personal information was acquired, or reasonably believed acquired, by an unauthorized person following a “breach of system security”.
Information Holders and Protected Information
An information holder can be a person, state agency, or business that “conducts business” in Tennessee, if they own or license computerized “personal information” of Tennessee residents. Paper records are not “computerized”, but could fall into a grey area if they originated from a computerized record or if computerized copies now exist in the possession of the information holder.
“Personal information” includes a person’s first name (or first initial and last name) in combination with one or more of the following:
- Social Security Number;
- Driver’s License Number; or
- Account number, credit card number, or debit card number. (If the corresponding password/access code is also compromised).
Information that is lawfully made available to the general public, such as public government records, redacted information, or otherwise unusable information, is not considered “personal information” and does not require breach notification.
A Data Breach Under Tennessee Law
A “breach of system security” occurs when an unauthorized person acquires unencrypted computerized data (or encrypted computerized data and the encryption key) that materially compromises the security, confidentiality, or integrity of personal information held by the information holder.
An unauthorized person is not limited to outside malicious actors. A businesses’ own employee can be an unauthorized person, if for example, they intentionally use personal information for an unlawful purpose. However, it does not include the good faith acquisition of personal information by an employee or agent of the information holder if used for the purposes of the information holder and not used or subject to further unauthorized disclosure.
45-day Time Limit to Send Breach Notification
The clock starts ticking once a breach has been discovered or the information holder is otherwise notified. Tennessee law requires disclosure to any resident of Tennessee whose personal information was acquired, or reasonably believed acquired, by an unauthorized person following a breach. Information holders must notify Tennessee residents within 45 days from the date they discovered a data breach. However, there is an exception to Tennessee’s data breach notification law when it would interfere with the legitimate needs of law enforcement, such as criminal investigations. In that case, the 45-day clock is paused until the law enforcement agency determines that notification will not compromise the investigation. Once that determination has been made, the 45-day clock begins to run from the date of that determination.
Additionally, breach notification timing varies widely between states, and 45 days falls on the shorter end. Thanks to Tennessee’s “reasonably believed acquired“ standard, many potential incidents require a thorough investigation to determine if a “breach” truly occurred. Accordingly, it is important that businesses respond to potential breaches quickly. If a business does not act fast, the 45 days can run out before a business has time to conduct a thorough investigation, make a final determination, and prepare the notices. Thus, it is critical that a business:
- Develop and implement a comprehensive incident response plan;
- Designate an individual to quickly identify and respond to potential notification event.
Update: Tennessee state legislators introduced an amendment to Tennessee’s data breach notification law in February 2021 to extend the notice time period from 45 to 60 days. However, the amendment did not gain traction. That said, similar attempts could occur down the road.
Tennessee Breach Notification Requirements
There are several ways to satisfy the breach notice requirements in Tennessee.
- Traditional written notice to the individual is always satisfactory.
- Electronic notice (e-mail) is also satisfactory if:
- Electronic communications was already established as the primary method of communication with an individual, or
- An the individual has consented to electronic communications in compliance with 15 U.S.C. § 7001.
- Substitute notice (under certain circumstances).
- First, one of the below must apply:
- It would cost over $250,000 to provide notice,
- Over 500,000 individuals require notice, or
- The entity does not have sufficient contact information.
- If one of theses is true, then notice can be satisfied satisfied by:
- Sending an email, and
- Publicly posting it on their website, and
- Notifying statewide media.
- First, one of the below must apply:
Furthermore, if company maintains its own notification procedures as part of an information security policy for personal information (and if the policy consistent with the 45 day notice time limit) the information holder is considered in compliance with the notification requirements if they notify affected residents in accordance with their policies.
Breaches Involving Over 1000 Tennessee Residents
There are additional notification requirements when a single data breach requires notification of over 1000 individuals. In that case, all consumer reporting agencies and credit bureaus that compile and maintain nationwide files on consumers must be notified of the timing, distribution, and content of the notices “without unreasonable delay”. A “consumer reporting agency” is one that regularly engages in the practice of assembling or evaluating consumer information for the purpose of furnishing consumer reports to third parties, such as consumer credit reporting.
Exemptions from the Tennessee Breach Notification Requirements
There are a few major exceptions to Tennessee’s breach notification law that exempt certain information holders and/or types of personal information.
Preemption by Federal Law
The first major exemption to Tennessee’s breach notification requirements is preemption. An entity can disregard the Tennessee notice requirements if it is subject to the breach notification requirements of the Gramm-Leach-Bliley Act (GLBA) or Health Insurance Portability and Accountability Act (HIPPA) as expanded by the Health Information Technology for Clinical and Economic Health Act (HITECH). These federal regulations supersede the Tennessee law requirements.
Encrypted data Safe Harbor
The second major exemption to Tennessee’s breach notification requirements is when the acquired data was “encrypted”. “Encrypted” means computerized data that is rendered unusable, unreadable, or indecipherable without the use of a decryption process or key and in accordance with the current version of the Federal Information Processing Standard (FIPS) 140-2. It is not a “data breach” in Tennessee if the information that was acquired was encrypted and the corresponding encryption keys are not also compromised. Most other states have a similar encrypted data safe harbor, and Tennessee made national headlines in the privacy world by amending the law in 2016 to remove this safe harbor. However, concerns arose around whether companies would bother encrypting their data in the first place if it did not provide any added legal protection. As a result, the Tennessee legislature quickly revered course and restored the safe harbor in 2017.
Rights of Individuals for Violation of Tennessee’s Data Breach Law
Tennessee gives individuals injured by this law a private right of action to sue a business for damages or an injunction. However, as with other data privacy laws, it is challenging to prove actual damages. Furthermore, the rights and remedies available are cumulative to each other and to any other rights and remedies available under law.