Last week, Tennessee Governor Bill Haslam (R) signed S.B. 2005 into law, amending Tennessee’s breach notification law to broaden the scope of information covered and require quicker notifications of the state’s residents. Most notably, when the amendments enter into force on July 1, 2016, Tennessee will become the only U.S. state that could require notification of affected individuals following breaches of encrypted information. The amendments will also require businesses to notify Tennessee residents within 45 days after the business discovers the breach.
All 47 states (plus the District of Columbia) that have enacted breach notification laws currently include an exemption from notification if a breach only discloses encrypted information. The bill’s sponsor, state Sen. Bill Ketron (R), told the legislature during the bill’s consideration that the change was needed because “encrypted data is now being stolen almost as easily as unencrypted [data].” However, the bill did not amend the requirement that a breach must “materially compromise the security, confidentiality, or integrity of the personal information” subject to the breach, which may protect businesses from having to notify Tennessee residents following breaches of encrypted information where only a remote possibility of harm exists.
Tennessee also joins a growing trend of states that have recently amended their breach notification laws to establish explicit deadlines for notifying affected state residents. While the 45-day deadline implemented by S.B. 2005 mirrors requirements found in several other states, these amendments go further than many other states by not including any language that extends this 45-day deadline if necessary to investigate a breach or restore the security of the breached system. The only circumstances under which the deadline can be extended is if law enforcement decides that providing notifications will impede a criminal investigation.
The amendments will also add a safe harbor to Tennessee’s breach notification statute for entities that are subject to HIPAA, in addition to the pre-existing safe harbor for entities subject to the GLBA. The amendments will enter into force on July 1, 2016.