On May 6, 2021, Tennessee Governor Bill Lee has signed the Insurance Data Security Law after its passage in the General Assembly. This new data security law creates obligations for insurance carriers in Tennessee, and was based on model legislation that was drafted over two years by the National Association of Insurance Commissioners (“NAIC”) in conjunction with several national regulators. The model legislation was designed to be adopted by multiple states, not just Tennessee, and was drafted in direct response to the recent onslaught of data breaches exposing consumer’s personal information. It is intended to modernize, define, and toughen existing security measures that Tennessee insurance carriers must take to protect consumer information, and is consistent with the NAIC’s Cybersecurity Consumer Protections.
Tennessee’s Assistant Commissioner for Insurance, Bill Huddleston, stated that “Tennessee’s adoption of the bill is critical for the Commissioner and the Department to have the tools they need to better protect Tennesseans’ sensitive consumer information.”
Under the Tennessee’s Insurance Data Security Law, insurance carriers must:
- Identify internal or external threats that could result in unauthorized access, transmission, disclosure, misuse or destruction of consumers’ private information.
- Develop, implement and maintain an information security program based on its individual risk assessment with a designated employee in charge of the information security program.
- Investigate any cybersecurity breach and notify the Insurance Commissioner of a cybersecurity event if the licensee is a domiciled insurer or if more than 250 Tennesseans are impacted.