Latest Alerts
- Colorado Adopts Final Rules to Implement the State’s Privacy Act
(posted: 04/03/2023)The CPA Imposes Requirements On Organizations That Conduct Business In Colorado On March...
- Idaho Extends Unemployment Benefits to Military Spouses and Domestic Violence Victims
(posted: 03/30/2023)The Amendments Provide Some Flexibility To The General Eligibility Criteria On March 21, 2023,...
- Virginia Prohibits Using Social Security Numbers on Employee Badges
(posted: 03/30/2023)Employers Cannot Use Social Security Numbers As Employee Identification Numbers or Include Them...
Tennessee Amends Breach Notification Law
posted: Tuesday, May 2nd
Amended Law Currently in Effect
Tennessee has amended its breach notification law. Highlights of the amended law are presented below.
Revised Definitions
The amended law revises various definitions in the breach notification law. Under the amended law, "breach of system security" means the acquisition of the following information by an unauthorized person that materially compromises the security, confidentiality, or integrity of personal information maintained by an information holder:
- Unencrypted computerized data; or
- Encrypted computerized data and the encryption key.
An "unauthorized person" includes an employee of the information holder who is discovered by the information holder to have obtained personal information with the intent to use it for an unlawful purpose.
"Personal information" means an individual's first name or first initial and last name, in combination with any one or more of the following data elements:
- Social Security number;
- Driver's license number; or
- Account, credit card, or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.
However, "personal information" does not include information that is lawfully made available to the general public from federal, state, or local government records, or information that has been redacted or otherwise made unusable.
Disclosure of Breach of System Security
Following discovery or notification of a breach of system security by an information holder (generally any person or company, among other entities, conducting business in Tennessee that owns or licenses computerized personal information of Tennessee residents), the information holder must disclose the breach of system security to any Tennessee resident whose personal information was--or is reasonably believed to have been--acquired by an unauthorized person. The disclosure must be made no later than 45 days from the discovery or notification of the breach of system security, unless a longer period of time is required due to the legitimate needs of law enforcement (as noted below).
Any information holder that maintains computerized data that includes personal information that the information holder does not own must notify the owner or licensee of the information of any breach of system security if the personal information was--or is reasonably believed to have been--acquired by an unauthorized person. The disclosure must be made no later than 45 days from the discovery or notification of the breach of system security, unless a longer period of time is required due to the legitimate needs of law enforcement (as noted below).
The notification required by the law may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation. If the notification is delayed, it must be made no later than 45 days after the law enforcement agency determines that notification will not compromise the investigation.
Additional details are contained in the text of the amended law. The law is currently in effect.