Encrypted? So What, Says Tennessee

In a first for the country’s growing body of state breach notification laws, Tennessee has recently amended its law to require notification even if the information subject to a breach was encrypted, and regardless of whether the encryption key itself was compromised.

Until now, other states have taken the position that encryption offered a “safe harbor” of sorts, under the logic that encrypted data is generally unreadable without adequate time and computing power to break the encryption.

Governor Bill Haslam enacted S.B. 2005 on March 24, 2016, amending Tennessee’s data breach statute to:

  1. remove the encryption caveat,
  2. specify a deadline for disclosing the breach as 45 days following discovery of the breach (subject to certain exceptions), and
  3. expanding the definition of “unauthorized person” to include “an employee of the information holder who is discovered by the information holder to have obtained personal information and intentionally used it for an unlawful purpose.”

The amended data breach provisions become effective July 1, 2016.

The prevalence of cybersecurity breaches is causing many states to revisit their data breach notification statutes to protect their residents. Stay tuned for the first state to require breach notification as soon as someone thinks about breaching your data.


Subscribe to CSS Blog

CSS frequently publishes blog posts which are written by our team from their observations in the field, at conferences and through experiences with compliance professionals. These posts are designed to further knowledge and share industry best practices. Topics run the gamut, including Form ADV, cybersecurity, MiFID II, position limit monitoring, technology challenges and more. Complete and submit the brief form below to receive notifications when we publish new content.

Loading form...

Latest Content

Compliance Lessons Learned in 2019

Now that we are in mid-January, a few things are evident. We have likely broken one or more New Year’s resolutions, the effect of any rest over the holidays has worn off and we need to complete our annual compliance reviews for 2019 and firm up our 2020 plans. While I don’t have solid advice … Continued

CSS Launches First Form CRS Software Tool In Market

Global RegTech provider Compliance Solutions Strategies (CSS) today announces its release of Form CRS Automator, the market’s first comprehensive and fully customizable software solution designed to help firms meet the upcoming requirements of Form CRS which has been introduced by the Securities and Exchange Commission (SEC). CSS’s proprietary and Web-based tool gives regulated firms the ability … Continued