As one of the forty-seven states with cybersecurity breach notification laws, the Tennessee legislature just amended its previously existing law. Since California in 2002, states have undertaken the act of imposing security breach notification obligations on entities that own and possess personal information. With the enactment of a more encompassing and definitive breach notification protocol, Tennessee has taken a small step forward in prioritizing data security.
THE CURRENT LAW
Codified at T.C.A. § 47-18-2107 under the Tennessee Identity Theft Deterrence Act of 1999 and entitled, “Release of Personal Information,” Tennessee follows a statutory framework common to states around the country. The statute begins by defining personal information, breach of security, and information holder. “Personal information” is unencrypted information concerning a person’s individual’s first name or first initial and last name, in combination with any one or more of the following: (i) social security number; (ii) driver’s license number; (iii) account number, credit or debit card number, combined with any security, access, or password code that would someone access to an individual’s financial account. Of note, publicly available information accessible through federal, state or local governmental does not constitute personal information. “Breach of security” is the unauthorized acquisition of unencrypted computerized data that materially compromises personal information. An information holder is defined as any person or entity conducting business within the state of Tennessee that owns or licenses computerized data containing personal information.
Upon the discovery that personal information was stolen, an information holder must disclose the breach in the “most expedient time possible and without unreasonable delay.” Tennessee provides three methods of notice disclosure: (1) written, (2) electronic, or substitute notice. Substitute notice is only available if one of following circumstances occurs:
- Providing notice would exceed $250,000;
- The number of affected individuals is in excess of 500,000; or
- The entity lacks sufficient contact information of those affected.
In meeting one of the aforementioned scenarios, an information holder can provide substitute notice through the completion of the following actions: emailing the affected (with the presumption that the business is in possession of the required email addresses), conspicuously posting notice on the company website, and alerting major statewide media of the breach. Interestingly, the statute allows an information holder to circumvent the previously mentioned methods of acceptable notice if it maintains a security response plan congruous with the timing requirement of an expedient response that’s without unreasonable delay. If the breach affects more than 1,000 people, an information holder has the additional burden of notifying all consumer reporting agencies and credit bureaus without unreasonable delay.
This existing breach notification protocol provides one safe harbor exemption (i.e., circumstances in which one does not have to follow the law) for financial institutions regulated under the Gramm-Leach-Bliley Act of 1999 (GLBA). If a Tennessee entity meets the GLBA’s definition of a financial institution, it can ignore Tennessee’s breach notification law in favor of federal law compliance.
HOW THE AMENDED LAW DIFFERS
Taking effect on July 1, 2016, and applying to data breaches thereafter, the new law features some small but significant modifications. First, the “breach of security” definition no longer pertains to only unencrypted data. Whereas the old law only applied to the “unauthorized acquisition of unencrypted data”, the new law requires notification for any breach of data wholly irrespective of whether such data was encrypted or not. The new law also amends the employee exception to the “breach of security” definition. Any employee of an information holder that unlawfully uses personal information would nonetheless require a business to act in accordance with the notice requirements. This increases a business’s liability and exposure beyond merely its own acts, but the acts of its employees as well. Another important revision concerns the time period in which an information holder has to provide notice. Instead of the vague and ambiguous “expedient” specification “without unreasonable delay,” the amended law requires information holders to disclose a breach within forty-five days of discovery. With no previously existing case law under the old statute, information holders were left to speculate how much time they had before notice was required. The new law eliminates this uncertainty by providing an exact time frame in which notice must be given. The final and additional wrinkle to the law is the addition of a new safe harbor exception. Any person or entity subject to the federal Health Insurance and Portability Act of 1996 (HIPPA) could ignore the Tennessee requirements. This is appropriate when both the GLBA or HIPPA have much stiffer data protection safeguards and requirements in place for businesses that fall within the Acts respective parameters.
A STEP IN THE RIGHT DIRECTION
The amended law represents a step in the right direction, but the need for greater consumer protection remains. In this ever-changing digital world, Tennessee’s reactive approach should expand to include more proactive measures. Rather than simply improve upon what must happen when a breach occurs, Tennessee should emulate California and require that entities implement and maintain more stringent security measures. As Tennessee companies fall victim to data breaches, Tennessee citizens need better protection. After all, it takes consumers a lifetime to build an identity and a company’s poor data security measures to ruin it.
Are you a business owner with cyber security questions? Are you in need of a more complete understanding of your privacy and data security risk? Contact us today.