TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Daily Dashboard | Tennessee law first to require notification regardless of information encryption status Related reading: Legal analysis of Iowa's new privacy law


Several important changes have been made to Tennessee’s breach notification statue after Gov. Bill Haslam signed S.B. 2005 into law, The National Law Review reports. With the amendment, Tennessee is removing the provision stating notice will only be given if unencrypted personal information has been breached. Tennessee will be the first state in the nation requiring notification of any breach, regardless of whether the information is encrypted or not. Other changes include a mandatory notification to any resident affected by a data breach within 45 days, and specification for an “unauthorized person” to include an employee of the information holder who received personal information and deliberately used it for an illegal purpose.
Full Story


If you want to comment on this post, you need to login.

  • comment Lorie Schrameck • Mar 30, 2016
    Just a small note: After reviewing S.B. 2005, the notification should be sent within 14 days, not 45   :)
  • comment Leslie • Mar 30, 2016
    Thanks so much, Lorie. Correction has been made, above.
  • comment David McKinney • Mar 30, 2016
    Actually, it appears it should be 45 days after all. See the amendments tab at
  • comment Monique Ferraro • Mar 30, 2016
    Also, by definition, there is no data breach if the data are encrypted. ("47-18-2107. Release of personal consumer information.
    (a) As used in this section, unless the context otherwise requires:
    (1) "Breach of the security of the system" means unauthorized acquisition of unencrypted computerized data that materially compromises the security,  confidentiality, or integrity of personal information maintained by the information holder. Good faith acquisition of personal information by an employee or agent of the information holder for the purposes of the information holder is not a breach of the security of the system; provided, that the personal information is not used or subject to further unauthorized disclosure."
  • comment Joseph Cvelbar • Mar 31, 2016
    Actually Monique, the Bill (now law) amended the encryption exception by stating "Tennessee Code Annotated, Section 47-18-2107(a)(1), is amended by
    deleting the word "unencrypted". Now it is considered a breach if there is unauthorized acquisition of any computerized data.
  • comment Monique Ferraro • Mar 31, 2016
    Thank you!
  • comment Lorie Schrameck • Apr 1, 2016
    My apologies for the correction to David McKinney.  I need to retract my comment regarding the 14 days notice.  When viewing the Tennessee legislature site, it appears that the amendment extending the notice time to 45 days (aprvd 2-21) had been withdrawn since it was approved and then withdrawn within the bill history for the TN Senate (on 3-14) and the available copy of the bill still read as 14 days.  I saw another website in which two people disagreed, so I contacted Pam Greenberg of the National Conference of State Legislatures.  She indicated that is a bit confusing because the bill on the Tennessee website is still in original form, (not the final version), and although the history indicates the amendment was withdrawn, it was only withdrawn in the TN House.  The bill with the amendment passed in the TN senate; therefore, the time limit to report a breach will be 45 days, not 14.   ~ Lorie
  • comment Leslie • Apr 1, 2016
    Thanks, David and Lorie. All set now.
  • comment Keith Cheresko • Apr 8, 2016
    The FTC had expressed concerns about "notice' fatigue.  What is the purpose of notifying someone that encrypted PII has been breached unless the key was also compromised or the level of encryption was inadequate?  Seems a better solution here would be to reinsert "unencrypted" and if concerned about the level of cypher - specify a minimally acceptable level.
  • comment Jim Halpert • Apr 29, 2016
    Commenters and the author of the story had not seen the final version of the law and the caption is incorrect.  The Tennessee law DOES NOT require notice of encrypted data and imposes a 45 day deadline.