• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to secondary sidebar

Alston & Bird Privacy, Cyber & Data Strategy Blog

  • Home
  • Services
  • Events
  • Contacts

Tennessee Updates Data Breach Statute

March 28, 2016 By Privacy, Cyber & Data Strategy Team

On March 24, 2016, Tennessee Governor Bill Haslam signed SB 2005 into law. The bill makes three principal updates to Tennessee’s data breach statute. First, the statute will now require organizations that have experienced a data breach to notify individuals within 45 days from the discovery or notification of the breach, unless a longer period of time is required due to the legitimate needs of law enforcement. Service providers must report a breach to the organization for which they are processing the data within 45 days of discovery.

The second update to the statute adds employees of the business who use the information in an unlawful manner to the definition of unauthorized persons whose acquisition of personal data will trigger notice under the law.

The final update to the statute redefines a breach of security that requires notice to include the unauthorized acquisition of all computerized data, whether encrypted or unencrypted. Previously, encryption of data was a safe harbor from notification. Notification is still subject to a risk of harm analysis, so companies can still take encryption into account in determining whether notification is required.

By mandating a specific notice period, Tennessee joins a small number of states requiring notice to be made within a certain time after an organization becomes aware of the breach. As originally drafted, the bill would have required notice within fourteen days; however amendments late in the process changed the time period to 45 days. Puerto Rico’s data breach statute requires notice to be made to the Department of Consumer Affairs within ten days of discovery of a breach. Florida requires notice to individuals to be made within thirty days following discovery of the breach.

The new law takes effect on July 1, 2016.

Filed Under: Data Breach, Legislation, Security Breach Tagged With: Identity Theft, US State Law

Primary Sidebar

This blog is a service of Alston & Bird’s Privacy, Cyber & Data Strategy team and focuses on key data privacy and data security issues.


Receive email notifications when new posts are added.

Receive email notifications when new posts are added.


THE DIGITAL DOWNLOAD
Click here to see the editions

PRIVACY & CYBER EVENTS
Click here to see upcoming and past events

PRIVACY & CYBER MAILINGS
Click here to sign up

@ALSTONPRIVACY
Click here to follow us on Twitter

Secondary Sidebar

Categories

Recent Posts

  • Recent Exploits of Blockchain Bridges Highlight Need for Cybersecurity in Crypto and Risk of Liability
  • Germany’s Cyber Threat Landscape – Top 3 Lessons from the BKA Situation Report
  • CPPA Board Opposes American Data Privacy and Protection Act
  • SEC Settles Enforcement Actions with Broker-Dealers and Investment Advisors for Identity Protection Deficiencies
  • UK Information Commissioner’s Office Issues Warning on Ransomware Payments
Copyright © 2022 · Alston & Bird · All Rights Reserved. Privacy.