Encrypted? So What, Says Tennessee

In a first for the country’s growing body of state breach notification laws, Tennessee has recently amended its law to require notification even if the information subject to a breach was encrypted, and regardless of whether the encryption key itself was compromised.

Until now, other states have taken the position that encryption offered a “safe harbor” of sorts, under the logic that encrypted data is generally unreadable without adequate time and computing power to break the encryption.

Governor Bill Haslam enacted S.B. 2005 on March 24, 2016, amending Tennessee’s data breach statute to:

  1. remove the encryption caveat,
  2. specify a deadline for disclosing the breach as 45 days following discovery of the breach (subject to certain exceptions), and
  3. expanding the definition of “unauthorized person” to include “an employee of the information holder who is discovered by the information holder to have obtained personal information and intentionally used it for an unlawful purpose.”

The amended data breach provisions become effective July 1, 2016.

The prevalence of cybersecurity breaches is causing many states to revisit their data breach notification statutes to protect their residents. Stay tuned for the first state to require breach notification as soon as someone thinks about breaching your data.


Subscribe to CSS Blog

CSS frequently publishes blog posts which are written by our team from their observations in the field, at conferences and through experiences with compliance professionals. These posts are designed to further knowledge and share industry best practices. Topics run the gamut, including Form ADV, cybersecurity, MiFID II, position limit monitoring, technology challenges and more. Complete and submit the brief form below to receive notifications when we publish new content.

Latest Content

Texas Outlaws and a Silver Bullet: Position Limits in the USA

In this first installment on position limits, Regulatory Guidance expert Greg Hotaling surveys the current landscape of position limits imposed for U.S.-listed commodity derivative holdings, which can affect investment firms and other speculative investors regardless of where they are based. Stay tuned for coverage of EU position limits in the next edition. “Who shot J.R.?!” … Continued

FAQs From the Cyber Desk

Cybersecurity is a fast-moving target, so it is not uncommon for firms to have questions when it comes to assessing and understanding their cybersecurity risks. Here at CSS we receive a lot of cybersecurity questions, so we thought we would take the time to answer 10 of the most common Frequently Asked Questions. (1) What … Continued

EU Position Limits: Born in the USA?

This is the second installment of Regulatory Guidance Expert Greg Hotaling’s blog on position limits, this time addressing EU-listed commodity derivatives and related products.  As always, keep in mind that these limits can apply to asset managers, and other market participants, regardless of where they are based. In 2009, the European Union’s first comprehensive position … Continued