On March 24, 2016, Tennessee Governor Bill Haslam signed SB 2005 into law. The bill makes three principal updates to Tennessee’s data breach statute. First, the statute will now require organizations that have experienced a data breach to notify individuals within 45 days from the discovery or notification of the breach, unless a longer period of time is required due to the legitimate needs of law enforcement. Service providers must report a breach to the organization for which they are processing the data within 45 days of discovery.
The second update to the statute adds employees of the business who use the information in an unlawful manner to the definition of unauthorized persons whose acquisition of personal data will trigger notice under the law.
The final update to the statute redefines a breach of security that requires notice to include the unauthorized acquisition of all computerized data, whether encrypted or unencrypted. Previously, encryption of data was a safe harbor from notification. Notification is still subject to a risk of harm analysis, so companies can still take encryption into account in determining whether notification is required.
By mandating a specific notice period, Tennessee joins a small number of states requiring notice to be made within a certain time after an organization becomes aware of the breach. As originally drafted, the bill would have required notice within fourteen days; however amendments late in the process changed the time period to 45 days. Puerto Rico’s data breach statute requires notice to be made to the Department of Consumer Affairs within ten days of discovery of a breach. Florida requires notice to individuals to be made within thirty days following discovery of the breach.
The new law takes effect on July 1, 2016.