Breach Notification Laws in Tennessee Updated

Data breach notification laws in Tennessee have been updated to better protect state residents. The new law requires organizations to issue notifications to state residents more quickly, while the range of information covered has been broadened.

When the new laws come into effect, organizations doing business in the state of Tennessee will be required to notify state residents of a breach of personal information within 45 days of the discovery of data exposure. Originally the bill required entities to issue notifications within 14 days of discovery, although this was later amended to 45 days.

Previously, data breach notification laws in Tennessee required all businesses to issue breach notifications in a reasonable time frame after a breach was discovered. Tennessee is the eighth state to introduce a time frame for sending breach notification letters.

Tennessee is not the only state to introduce laws that reduce the timescale for notifying breach victims – it is the eight state to add a timescale for sending notifications – but in contrast to many states, information holders are not permitted to extend the deadline even if an investigation into the breach is ongoing or if measures have not yet been implemented to restore the security of the information holder’s systems. The only exception is when a delay has been requested by law enforcement in order not to compromise a criminal investigation.

While the old breach notification law required notifications to be issued to breach victims in cases where unencrypted data were exposed, in the new law the word “unencrypted” has been dropped. Out of the 47 states that have introduced breach notification laws, Tennessee is the only state to drop its safe harbor for encrypted data. The change was necessary, according to Sen. Bill Ketron (R) who sponsored of the bill, because “encrypted data is now being stolen almost as easily as unencrypted [data].”

This means that if data are stolen the information holder would still need to notify individuals of the breach even if data were encrypted, although only if the breach materially compromised the security, confidentiality, or integrity of personal information.

The definition of “unauthorized person” has also been expanded to include employees of an information holder that is discovered to have obtained personal information and used it for an unlawful purpose.

Tennessee Governor Bill Haslam (R) signed bill S.B. 2005 into law late last month. The new data breach notification law in Tennessee will come into effect on July 1, 2016

Safe Harbor for HIPAA Covered Entities

Under HIPAA, covered healthcare organizations are required to notify individuals of a breach of protected health information within 60 days of the discovery of a data breach; however, states can introduce stricter laws if they so require. HIPAA sets a minimum standard for data security, privacy, and breach notifications.

However, the new laws in Tennessee add a safe harbor for organizations covered by the Health Insurance Portability and Accountability Act. If a HIPAA-covered entity experiences a breach of personal information, that entity will be required to comply with HIPAA, not the new breach notification laws in Tennessee.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.