[BreachExchange] Tennessee Enacts Changes to Data Breach Statute

[Inga Goddijn]

http://www.jdsupra.com/legalnews/tennessee-enacts-changes-to-data-breach-75551/

Businesses in the State of Tennessee should take note of several
significant changes to Tennessee's data breach statute that take effect for
data breaches occurring on or after July 1, 2016.

Currently, Tennessee Code Annotated § 47-18-2107 states, among other
things, that persons, businesses and government agencies in Tennessee that
own or license computerized data containing personal information must
disclose breaches of the security of their systems to Tennessee residents
whose unencrypted personal information was, or is reasonably believed to
have been, acquired by an unauthorized person.  Disclosures must be made
"in the most expedient time possible and without unreasonable delay,"
subject to statutory qualifications.  A similar requirement applies to
"information holders" who maintain computerized data on behalf of others.
Such information holders must notify owners or licensees of computerized
data of breaches immediately following discovery.

The Tennessee General Assembly's recent enactment (S.B. No. 2005) changes
the foregoing statute in several ways.  First and very notably, the breach
notification statue will no longer apply to entities subject to the Health
Insurance Portability and Accountability Act ("HIPAA"), including covered
entities and their business associates.  This will be a welcome development
for entities subject to HIPAA, including health care providers, health
plans and the vendors who access patient information while providing
services on their behalf.  However, entities subject to HIPAA in some
instances that also hold computerized personal information not subject to
HIPAA should not assume that the Tennessee data breach statute is
inapplicable to their operations across the board.  Rather, they should
seek advice regarding the application of federal and Tennessee law to
particular business operations to ensure their compliance procedures are
appropriately nuanced.

Second, and also highly significant, is the replacement of the current soft
reporting timeframe with new reporting deadline language indicating that
entities must provide breach disclosures "immediately, but no later than 45
days" after becoming aware of a breach.  Entities that will remain subject
to the Tennessee breach notification requirement should modify their data
breach response procedures to take this new deadline into account.

Third, Tennessee entities should be aware that the word "unencrypted" has
been deleted from the statute.  Practically, this means that encryption of
information will not automatically render a breach of such information not
a breach for purposes of the statute.  However, encryption may still be
relevant in determining whether breach notification is required because of
its potential impact on any determination of whether an unauthorized
acquisition of data "materially compromises the security, confidentiality,
or integrity of personal information."

Last but not least, the statute has been modified to state that an
"unauthorized person" includes "an employee of the information holder who
is discovered by the information holder to have obtained personal
information and intentionally used it for an unlawful purpose."  This
change clarifies that breaches are not limited to acquisitions of
information by outsiders.  Internal breaches can result from the actions of
employees, and entities should take steps to guard against the same.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160518/0551e9f3/attachment.html>