Last week, Tennessee Governor Bill Haslam (R) signed S.B. 2005 into law, amending Tennessee’s breach notification law to broaden the scope of information covered and require quicker notifications of the state’s residents.  Most notably, when the amendments enter into force on July 1, 2016, Tennessee will become the only U.S. state that could require notification of affected individuals following breaches of encrypted information.  The amendments will also require businesses to notify Tennessee residents within 45 days after the business discovers the breach.

All 47 states (plus the District of Columbia) that have enacted breach notification laws currently include an exemption from notification if a breach only discloses encrypted information.  The bill’s sponsor, state Sen. Bill Ketron (R), told the legislature during the bill’s consideration that the change was needed because “encrypted data is now being stolen almost as easily as unencrypted [data].”  However, the bill did not amend the requirement that a breach must “materially compromise[] the security, confidentiality, or integrity of the personal information” subject to the breach, which may protect businesses from having to notify Tennessee residents following breaches of encrypted information where only a remote possibility of harm exists.

Tennessee also joins a growing trend of states that have recently amended their breach notification laws to establish explicit deadlines for notifying affected state residents.  While the 45-day deadline implemented by S.B. 2005 mirrors requirements found in several other states, these amendments go further than many other states by not including any language that extends this 45-day deadline if necessary to investigate a breach or restore the security of the breached system.  The only circumstances under which the deadline can be extended is if law enforcement decides that providing notifications will impede a criminal investigation.

The amendments will also add a safe harbor to Tennessee’s breach notification statute for entities that are subject to HIPAA, in addition to the pre-existing safe harbor for entities subject to the GLBA.  The amendments will enter into force on July 1, 2016.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Caleb Skeath Caleb Skeath

Caleb Skeath advises clients on a broad range of cybersecurity and privacy issues, including cybersecurity incident response, cybersecurity and privacy compliance obligations, internal investigations, regulatory inquiries, and defending against class-action litigation. Caleb holds a Certified Information Systems Security Professional (CISSP) certification.

Caleb specializes in assisting…

Caleb Skeath advises clients on a broad range of cybersecurity and privacy issues, including cybersecurity incident response, cybersecurity and privacy compliance obligations, internal investigations, regulatory inquiries, and defending against class-action litigation. Caleb holds a Certified Information Systems Security Professional (CISSP) certification.

Caleb specializes in assisting clients in responding to a wide variety of cybersecurity incidents, ranging from advanced persistent threats to theft or misuse of personal information or attacks utilizing destructive malware. Such assistance may include protecting the response to, and investigation of an incident under the attorney-client privilege, supervising response or investigation activities and interfacing with IT or information security personnel, and advising on engagement with internal stakeholders, vendors, and other third parties to maximize privilege protections, including the negotiation of appropriate contractual terms. Caleb has also advised numerous clients on assessing post-incident notification obligations under applicable state and federal law, developing communications strategies for internal and external stakeholders, and assessing and protecting against potential litigation or regulatory risk following an incident. In addition, he has advised several clients on responding to post-incident regulatory inquiries, including inquiries from the Federal Trade Commission and state Attorneys General.

In addition to advising clients following cybersecurity incidents, Caleb also assists clients with pre-incident cybersecurity compliance and preparation activities. He reviews and drafts cybersecurity policies and procedures on behalf of clients, including drafting incident response plans and advising on training and tabletop exercises for such plans. Caleb also routinely advises clients on compliance with cybersecurity guidance and best practices, including “reasonable” security practices.

Caleb also maintains an active privacy practice, focusing on advising technology, education, financial, and other clients on compliance with generally applicable and sector-specific federal and state privacy laws, including FERPA, FCRA, GLBA, TCPA, and COPPA. He has assisted clients in drafting and reviewing privacy policies and terms of service, designing products and services to comply with applicable privacy laws while maximizing utility and user experience, and drafting and reviewing contracts or other agreements for potential privacy issues.