HR Alert

Tennessee Amends Breach Notification Law

Amended Law Currently in Effect

Tennessee has amended its breach notification law. Highlights of the amended law are presented below.

Revised Definitions
The amended law revises various definitions in the breach notification law. Under the amended law, "breach of system security" means the acquisition of the following information by an unauthorized person that materially compromises the security, confidentiality, or integrity of personal information maintained by an information holder:

  • Unencrypted computerized data; or
  • Encrypted computerized data and the encryption key.

An "unauthorized person" includes an employee of the information holder who is discovered by the information holder to have obtained personal information with the intent to use it for an unlawful purpose.

"Personal information" means an individual's first name or first initial and last name, in combination with any one or more of the following data elements:

  • Social Security number;
  • Driver's license number; or
  • Account, credit card, or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.

However, "personal information" does not include information that is lawfully made available to the general public from federal, state, or local government records, or information that has been redacted or otherwise made unusable.

Disclosure of Breach of System Security
Following discovery or notification of a breach of system security by an information holder (generally any person or company, among other entities, conducting business in Tennessee that owns or licenses computerized personal information of Tennessee residents), the information holder must disclose the breach of system security to any Tennessee resident whose personal information was--or is reasonably believed to have been--acquired by an unauthorized person. The disclosure must be made no later than 45 days from the discovery or notification of the breach of system security, unless a longer period of time is required due to the legitimate needs of law enforcement (as noted below).

Any information holder that maintains computerized data that includes personal information that the information holder does not own must notify the owner or licensee of the information of any breach of system security if the personal information was--or is reasonably believed to have been--acquired by an unauthorized person. The disclosure must be made no later than 45 days from the discovery or notification of the breach of system security, unless a longer period of time is required due to the legitimate needs of law enforcement (as noted below).

The notification required by the law may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation. If the notification is delayed, it must be made no later than 45 days after the law enforcement agency determines that notification will not compromise the investigation.

Additional details are contained in the text of the amended law. The law is currently in effect.


Close
Login to HRSPI Client Portal
Username:
Password:
Forgotten PasswordForgot Password
Executive Search Executive Search

Harrassment Prevention

HRSPI offers comprehensive, interactive, AB1825-Compliant training. Programs include introduction to recent anti-bullying legislation.

Latest News

News Archives

Latest Blog

Blog Archives