Notice: This post was migrated from one of our legacy websites and might not display correctly.
In a first for the country’s growing body of state breach notification laws, Tennessee has recently amended its law to require notification even if the information subject to a breach was encrypted, and regardless of whether the encryption key itself was compromised.
Until now, other states have taken the position that encryption offered a “safe harbor” of sorts, under the logic that encrypted data is generally unreadable without adequate time and computing power to break the encryption.
Governor Bill Haslam enacted S.B. 2005 on March 24, 2016, amending Tennessee’s data breach statute to:
- remove the encryption caveat,
- specify a deadline for disclosing the breach as 45 days following discovery of the breach (subject to certain exceptions), and
- expanding the definition of “unauthorized person” to include “an employee of the information holder who is discovered by the information holder to have obtained personal information and intentionally used it for an unlawful purpose.”
The amended data breach provisions become effective July 1, 2016.
The prevalence of cybersecurity breaches is causing many states to revisit their data breach notification statutes to protect their residents. Stay tuned for the first state to require breach notification as soon as someone thinks about breaching your data.
Subscribe to CSS Blog
CSS frequently publishes blog posts which are written by our team from their observations in the field, at conferences and through experiences with compliance professionals. These posts are designed to further knowledge and share industry best practices. Topics run the gamut, including Form ADV, cybersecurity, MiFID II, position limit monitoring, technology challenges and more. Complete and submit the brief form below to receive notifications when we publish new content.