Tennessee Amends its Breach Notification Law (AGAIN) and reinserts the Encryption Safe Harbor


Back in April of last year, I wrote about Tennessee’s sweeping amendment to its data breach notification statute. One of the most substantial and, quite frankly, shocking changes concerned what appeared to be a removal of the encryption safe harbor. Less than eight months after the amended statute took effect, the Tennessee legislature has again modified the law to once more exclude encrypted information from the definition of “personal information.” Last Year’s Amendment When the amendment passed, Tennessee was widely perceived as the only state (out of the now 48 total states with data breach notification laws) to have now established a standard where even the loss of encrypted information nonetheless triggered data breach notification requirements. Referred to as the “encryption safe harbor,” all other states data breach notification laws omitted encrypted information from the definition of “personal information.”  As a result, any breach of encrypted personal information did not initiate a notifiable incident. The rationale behind such an […]

Continue Reading

Thompson Burton’s New Cybersecurity Practice


Here are two words that should scare any business: business interruption. The thought of losing control of your business for a day or a week is enough to keep any executive awake at night. Business interruption is almost a guarantee when a company experiences a data breach or other cybersecurity-related problem. Every interruption comes with significant mitigation costs, including hiring experts to alleviate problems, lost productivity, the threat of lawsuits and much more. Helping businesses, especially smaller businesses, manage their cybersecurity risks is why I have started a dedicated cybersecurity practice at Thompson Burton. The practice includes three primary services: Understanding the confusing patchwork of regulatory requirements Drafting and reviewing security policies Providing legal counsel when a problem occurs The first two services fall under what I would call “preventative medicine.” For any business in possession of sensitive customer information and data, preparation is instrumental to prevention. The last service […]

Continue Reading

Today Marks the Start of New York’s Noteworthy Financial Cybersecurity Rule


Back in September of 2016, the New York Department of Financial Services (“NYDFS”) announced the proposal of a “first-in-the-nation” [1] regulation aimed at protecting New York financial institutions and their customers from the increase in cyber-related threats and attacks. Said New York governor Andrew M. Cuomo at the time, “New York, the financial capital of the world, is leading the nation in taking decisive action to protect consumers and our financial system from serious economic harm . . . [as] this regulation helps guarantee the financial services industry upholds its obligations to protect consumers and ensure that its systems are sufficiently constructed to prevent cyber-attacks to the fullest extent possible.” [2] After a forty-five day notice and public comment period produced a flurry of responses from interested parties, the NYDFS released a revised and final version of the rule on February 16, 2017. With today’s date of March 1, 2017, this new and potentially influential cybersecurity initiative goes into […]

Continue Reading

A Bunch of Colleges Were Just Breached, But Now What?


Last week threat intelligence company Recorded Future revealed the news a Russian hacker breached the databases of more than 60 universities and agencies — including nearby University of Tennessee — in an attempt to sell his methods of unauthorized access to these databases on the dark web. While details remain scant on the severity of the breaches, people are naturally left wondering what kind of confidential information may have been exposed. In the unfortunate event that personally identifiable information (“PII”) of university students was in fact stolen, what kind of liability do schools have and what are the rights of students under federal or state law? The answer may surprise you. Family Educational Rights and Privacy Act The most logical starting point in any discussion on data security for schools begins with the Family Educational Rights and Privacy Act1 (or “FERPA”). Enacted in 1974, the government intended for this federal law to protect the privacy of student educational records and the PII those records […]

Continue Reading

New IBM Cyber Security Report: Healthcare and Financial Institutions Among the Most Attacked


A recent report published by IBM’s Security Services offers valuable insight into the current landscape of cybersecurity risk. Through the aggregation of client data from 2015, the report provides topical information on subjects ranging from the most frequently attacked industries to the commonality found between types of attackers and their attacks. As the report makes abundantly clear, no business, especially those in the healthcare and financial sectors, remains exempt from cybersecurity threats. According to the report, the five most attacked industries in 2015 were as follows: Healthcare Manufacturing Financial Services Government Transportation HEALTHCARE Healthcare’s occupation of the top spot should come as no surprise. 2015 was so replete with healthcare data breaches that many, IBM included, described it as “the year of the healthcare breach.” Subsumed within the United States Health and Human Services (HHS), the Office of Civil Rights (OCR) enforces the Healthcare Insurance Portability and Accountability Act (otherwise known as HIPAA). As part of its enforcement duties, the OCR provides online notification for every breach of unsecured protected health information […]

Continue Reading