New Tennessee Law Mandates Notification of Data Breaches Involving Encrypted Data


Companies and organizations holding personal information – including employers, retailers and others – that experience data breaches which involve their customers’ or employees’ identities have significant new obligations under a recently amended Tennessee law, including a 45-day deadline to notify affected individuals, even if the breach involved encrypted data.

Signed into law last week by Governor Bill Haslam, Senate Bill 2005/House Bill 1631 takes effect on July 1, 2016 and amends Tennessee’s Consumer Protection laws with respect to data breaches. As amended, the law now requires a business to notify Tennessee residents of a breach of a security system or unauthorized access to personal information no later than 45 days after discovery. Such breach or unauthorized access applies to all data – encrypted or unencrypted.

In addition, the amendment adds a definition of an “unauthorized person,” which is an employee who discovers the information and intentionally uses it for an unlawful purpose.

Because the amendment specifically removed the word, “unencrypted,” from the statute, it remains to be seen how this revision will affect security protocols and policies, especially as executive teams across the nation strive to establish secure, robust IT infrastructures.

For additional information, please contact Kristen Johns or Andy Norwood in Waller’s Intellectual Property practice or James Weaver or Jeff Parrish in Waller’s Government Relations practice.

The opinions expressed in this bulletin are intended for general guidance only. They are not intended as recommendations for specific situations. As always, readers should consult a qualified attorney for specific legal guidance.