<div dir="ltr"><a href="http://www.jdsupra.com/legalnews/important-notice-regarding-amendments-87944/">http://www.jdsupra.com/legalnews/important-notice-regarding-amendments-87944/</a><br clear="all"><div><div class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><br><p>
All companies with Tennessee employees or customers need to revise
their data incident policies and procedures. Tennessee has revised their
breach notification statute to remove the encryption safe harbor, which
previously obviated the need to notify individuals when encrypted
assets containing personal information were lost, stolen or compromised.
Tennessee is the first state in the nation to remove the safe harbor.</p>
<p>
Despite the removal of the safe harbor, the statute still permits an
organization to perform an analysis to determine whether an incident
requiring notification has occurred. Specifically, that analysis
requires an organization to determine whether an unauthorized
acquisition of data "materially compromises the security,
confidentiality, or integrity of personal information." Arguably, if the
information is undecipherable or inaccessible to a bad actor because it
is encrypted, the information has likely not been "materially"
compromised. Even so, regardless of the level of encryption,
organizations are cautioned to still approach every incident on
case-by-case basis and work with counsel and their security vendors to
determine whether a reportable incident has occurred.</p>
<p>
This is not the only newsworthy aspect of the amendment. Tennessee has
also amended its data breach notification statute to require
organizations to notify Tennessee residents within <strong><em>14 days</em></strong>
after discovery of a breach. Previously, the law contained a
requirement that businesses were to notify individuals in the most
expedient time possible and without unreasonable delay.</p>
<p>
The law also amends the statute to clarify when an unauthorized
disclosure has occurred. The amendment now specifies that an
"unauthorized person" includes an employee of the organization who is
discovered to have obtained personal information and intentionally used
it for an unlawful purpose.</p>
<p>
The Tennessee law takes effect July 1, 2016.</p>
<p>
<strong>Key Takeaways:</strong></p>
<ul><li>
Organizations holding personal information of Tennessee residents need
to amend their incident policies and procedures to reflect the removal
of the encryption safe harbor. Employees should also be retrained
regarding their immediate obligation to report any lost or stolen IT
assets, including BYOD devices which contain personal information.</li><li>
Given the new 14-day timeframe, businesses must have working incident
response and breach notification policies and procedures in place.
Failure to have policies and procedures in place – with key
stakeholders' contacts in place for legal, insurance, law enforcement,
regulatory, computer forensics, PR, <em>etc.</em> – will likely result
in reporting outside of the statutorily mandated timeframe. Companies
should also routinely test their incident response policies to ensure
timely action with the 14-day period.</li><li>
Businesses should take this opportunity to dust off their access
control polices to ensure that employees are not accessing databases or
files without authorization and that employees only have access to the
minimum amount of information necessary to complete their tasks. Should
an employee access files or databases without authorization, the
business must conduct an investigation as to the motives, if any, of the
individual who obtained the access to personal information and make a
determination whether the use was for an "unlawful purpose.</li></ul><br></div></div></div></div></div></div></div></div></div>
</div>