Encrypted? So What, Says Tennessee

In a first for the country’s growing body of state breach notification laws, Tennessee has recently amended its law to require notification even if the information subject to a breach was encrypted, and regardless of whether the encryption key itself was compromised.

Until now, other states have taken the position that encryption offered a “safe harbor” of sorts, under the logic that encrypted data is generally unreadable without adequate time and computing power to break the encryption.

Governor Bill Haslam enacted S.B. 2005 on March 24, 2016, amending Tennessee’s data breach statute to:

  1. remove the encryption caveat,
  2. specify a deadline for disclosing the breach as 45 days following discovery of the breach (subject to certain exceptions), and
  3. expanding the definition of “unauthorized person” to include “an employee of the information holder who is discovered by the information holder to have obtained personal information and intentionally used it for an unlawful purpose.”

The amended data breach provisions become effective July 1, 2016.

The prevalence of cybersecurity breaches is causing many states to revisit their data breach notification statutes to protect their residents. Stay tuned for the first state to require breach notification as soon as someone thinks about breaching your data.


Subscribe to CSS Blog

CSS frequently publishes blog posts which are written by our team from their observations in the field, at conferences and through experiences with compliance professionals. These posts are designed to further knowledge and share industry best practices. Topics run the gamut, including Form ADV, cybersecurity, MiFID II, position limit monitoring, technology challenges and more. Complete and submit the brief form below to receive notifications when we publish new content.

Loading form...

Latest Content

How Can a Small Advisory Practice Economically Be as Cyber-Secure as Possible?

Cybersecurity is a risk that applies to firms both large and small without discrimination. Even very small advisory firms, which I’ll define as having one to five staff for purposes of this discussion, have a wealth of information worth safeguarding. Cybercrime is often a crime of opportunity. Hackers are metaphorically going door to door (computer … Continued

Will We See Liquidity Risk Management Programs in Europe Soon?

In an article posted by Ignites Europe, the Commission de Surveillance du Secteur Financier (CSSF) in Luxembourg declared that it has “stepped up its supervisory focus on the liquidity aspects that are related to the recent developments” of Neil Woodford’s flagship fund and H2O Asset Management, an affiliate of Natixis Asset Management. In the U.S., … Continued