On March 24, 2016, Tennessee Governor Bill Haslam signed into law a bill amending the state’s Data Breach Notification Statute. The amendments, which will go into effect on July 1, 2016, bring significant changes to how businesses must respond to data breaches involving information of Tennessee residents.
The amended statute requires notification be provided to residents affected by a data breach within 45 days after discovery of the breach. Prior to this amendment, Tennessee’s statute only mandated disclosure of a data breach be made in the “most expedient time possible” and “without unreasonable delay.” Tennessee has become the eighth state to enact legislation that sets a specific time period for notification to affected individuals. Further, the new law does not permit delays for remediation or investigation of a breach unless a law enforcement agency determines that notification will impede a criminal investigation, and even then notice must be made within 45 days after law enforcement determines that notification will no longer compromise an investigation.
Additionally, the amendment expands the definition of “unauthorized person.” Tennessee requires any information holder to disclose a breach of the security of the system to any resident of Tennessee whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person. Tennessee previously excluded from the definition of a data breach any “good faith acquisition of personal information by an employee or agent” of the information holder. In the amendment an unauthorized person now includes “an employee of the information holder who is discovered by the information holder to have obtained personal information and intentionally used it for an unlawful purpose.”