As of 2020, every state has a law that requires notifying residents when their personally identifiable information is affected by a data breach. State laws share similarities, but the nuances often vary. Commonly, notification timing, the harm standard, and access vs acquisition requirements vary between states. Additionally, nearly all states only apply notification laws to breaches of electronic information. That said, a few states also cover paper records. Thus, an organizations must look to the specific laws in each state where each affected person resides to determine the organization’s legal obligations. The rules governing a data breach in Tennessee come from Tennessee’ Identity Theft Deterrence Act.
Identity Theft Deterrence Act
T.C.A. § 47-18-2107. Release of personal consumer information.
Tennessee enacted its data breach notification law in 2005, and it is contained within the Identity Theft Deterrence Act of the Tennessee Consumer Protection Act. T.C.A. § 47-18-2107. Tennessee’s data breach law requires “information holders” to notify residents of Tennessee within 45 days when their personal information was acquired, or reasonably believed acquired, by an unauthorized person following a “breach of system security”.
An information holder can be a person, state agency, or business if they own or license computerized personal information of Tennessee residents. Protected information includes a person’s first name (or first initial and last name) in combination with one or more of the following:
- Social Security Number;
- Driver’s License Number; or
- Account number, credit card number, or debit card number. (If the corresponding password/access code is also compromised).
Information that is lawfully made available to the general public, such as public government records, redacted information, or unusable information, does not require breach notification.
Data Breach Under Tennessee Law.
A “breach of system security” occurs when an unauthorized person acquires unencrypted computerized data that materially compromises the security, confidentiality, or integrity of personal information held by the entity. Unauthorized users are not limited to outside malicious actors. A businesses’ own employee can be an unauthorized person, if for example, they intentionally use personal information for an unlawful purpose.
45-day Time Limit to Send Breach Notification.
The clock starts ticking once a breach has been discovered. Tennessee law requires disclosure to any resident of Tennessee whose personal information was acquired, or reasonably believed acquired, by an unauthorized person. Information holders must notify Tennessee residents within 45 days from the date they discovered a data breach. However, there is an exception to Tennessee’s data breach notification law when it would interfere with the legitimate needs of law enforcement, such as criminal investigations. In that case, the 45-day clock is paused until the law enforcement agency determines that notification will not compromise the investigation. Once that determination has been made, the 45-day clock begins to run.
Additionally, breach notification timing varies widely between states, and 45 days falls on the shorter end. Thanks to Tennessee’s “reasonably believed acquired“ standard, many potential incidents require a thorough investigation. Accordingly, it is important that businesses respond to potential breaches quickly. If a business does not act fast, the 45 days can run out before a business has time to conduct a thorough investigation, make a final determination, and prepare the notices. Thus, it is critical that a business:
- Develop and implement a comprehensive incident response plan;
- Designate an individual to quickly identify and respond to potential notification event.
Breach Notification Requirements
There are several ways to satisfy the breach notice requirements in Tennessee.
- Traditional written notice to the individual is always satisfactory.
- Electronic notice (e-mail) is also satisfactory if:
- Electronic communications was already established as the primary method of communication with an individual, or
- An the individual has consented to electronic communications in compliance with 15 U.S.C. § 7001.
- Substitute notice (under certain circumstances).
- First, one of the below must apply:
- It would cost over $250,000 to provide notice,
- Over 500,000 individuals require notice, or
- The entity does not have sufficient contact information.
- If one of theses is true, then notice can be satisfied satisfied by:
- Sending an email, and
- Publicly posting it on their website, and
- Notifying statewide media.
- First, one of the below must apply:
Furthermore, if company maintains its own notification procedures as part of an information security policy for personal information (and if the policy consistent with the 45 day notice time limit) the information holder is considered in compliance with the notification requirements if they notify affected residents in accordance with their policies.
There are additional notification requirements when a single data breach requires notification of over 1000 individuals. In that case, all consumer reporting agencies and credit bureaus that compile and maintain nationwide files must be notified of the timing, distribution, and content of the notices “without unreasonable delay”. A “consumer reporting agency” is one that regularly engages in the practice of assembling or evaluating consumer information for the purpose of furnishing consumer reports to third parties, such as consumer credit reporting.
Exemptions from the Tennessee Breach Notification Requirements
There are major exceptions to Tennessee’s breach notification law that exempt certain information holders and/or types of personal information. First, preemption. An entity can disregard the Tennessee notice requirements if it is subject to the breach notification requirements of the Gramm-Leach-Bliley Act (GLBA) or Health Insurance Portability and Accountability Act (HIPPA). These federal regulations supersede the Tennessee law requirements. Second, encrypted data. It is not a data breach in Tennessee if the unauthorized information is encrypted and the corresponding encryption keys are not also compromised. Many other states have a similar safe harbor, and Tennessee made national headlines in the privacy world by amending the law in 2016 to remove this safe harbor. However, concerns arose as too whether companies would bother encrypting their data in the first place if it did not provide any added legal protection. As a result, the Tennessee legislature quickly restored the safe harbor in 2017.
Rights of Individuals for Violation of Tennessee’s Data Breach Law
Tennessee gives individuals injured by this law a private right of action to sue a business for damages or an injunction. However, as with other data privacy laws, it is challenging to prove actual damages. Furthermore, the rights and remedies available are cumulative to each other and to any other rights and remedies available under law.