<div dir="ltr"><a href="http://www.jdsupra.com/legalnews/tennessee-enacts-changes-to-data-breach-75551/">http://www.jdsupra.com/legalnews/tennessee-enacts-changes-to-data-breach-75551/</a><br><br><div class="">
<div class="">
<p>
Businesses in the State of Tennessee should take note of several
significant changes to Tennessee's data breach statute that take effect
for data breaches occurring on or after July 1, 2016.</p>
<p>
Currently, Tennessee Code Annotated § 47-18-2107 states, among other
things, that persons, businesses and government agencies in Tennessee
that own or license computerized data containing personal information
must disclose breaches of the security of their systems to Tennessee
residents whose unencrypted personal information was, or is reasonably
believed to have been, acquired by an unauthorized person. Disclosures
must be made "in the most expedient time possible and without
unreasonable delay," subject to statutory qualifications. A similar
requirement applies to "information holders" who maintain computerized
data on behalf of others. Such information holders must notify owners
or licensees of computerized data of breaches immediately following
discovery. </p>
<p>
The Tennessee General Assembly's recent enactment (S.B. No. 2005)
changes the foregoing statute in several ways. First and very notably,
the breach notification statue will no longer apply to entities subject
to the Health Insurance Portability and Accountability Act ("HIPAA"),
including covered entities and their business associates. This will be a
welcome development for entities subject to HIPAA, including health
care providers, health plans and the vendors who access patient
information while providing services on their behalf. However, entities
subject to HIPAA in some instances that also hold computerized personal
information not subject to HIPAA should not assume that the Tennessee
data breach statute is inapplicable to their operations across the
board. Rather, they should seek advice regarding the application of
federal and Tennessee law to particular business operations to ensure
their compliance procedures are appropriately nuanced. </p>
<p>
Second, and also highly significant, is the replacement of the
current soft reporting timeframe with new reporting deadline language
indicating that entities must provide breach disclosures "immediately,
but no later than 45 days" after becoming aware of a breach. Entities
that will remain subject to the Tennessee breach notification
requirement should modify their data breach response procedures to take
this new deadline into account.</p>
<p>
Third, Tennessee entities should be aware that the word "unencrypted"
has been deleted from the statute. Practically, this means that
encryption of information will not automatically render a breach of such
information not a breach for purposes of the statute. However,
encryption may still be relevant in determining whether breach
notification is required because of its potential impact on any
determination of whether an unauthorized acquisition of data "materially
compromises the security, confidentiality, or integrity of personal
information." </p>
<p>
Last but not least, the statute has been modified to state that an
"unauthorized person" includes "an employee of the information holder
who is discovered by the information holder to have obtained personal
information and intentionally used it for an unlawful purpose." This
change clarifies that breaches are not limited to acquisitions of
information by outsiders. Internal breaches can result from the actions
of employees, and entities should take steps to guard against the
same. </p>
</div>
</div><br></div>