On March 24, 2016, Tennessee Governor Bill Haslam signed into law S.B. 2005, as amended by Amendment No. 1 to S.B. 2005 (the “Bill”), which makes a number of changes to the state’s data breach notification statute, Tenn. Code § 47-18-2107. The amendments take effect on July 1, 2016.

The Bill:

  • Requires businesses and state agencies to notify affected individuals “immediately, but no later than 45 days from the discovery or notification of the breach, unless a longer period of time is required due to the legitimate needs of law enforcement.” Before the amendment, the statute required notification “in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement.”
  • Eliminates a provision from the statute which triggered notification obligations only where there had been access to, or acquisition of, unencrypted personal information. Under the Bill, notification obligations may be triggered even where the accessed or acquired data elements are encrypted.
  • Defines “unauthorized person” for purposes of triggering notification obligations, to specifically include “an employee of the [business or agency] who is discovered by the [business or agency] to have obtained personal information and intentionally used it for an unlawful purpose.”