10 Comments

If you want to comment on this post, you need to login.

• comment Lorie Schrameck • Mar 30, 2016

  Just a small note: After reviewing S.B. 2005, the notification should be sent within 14 days, not 45   :)

• comment Leslie • Mar 30, 2016

  Thanks so much, Lorie. Correction has been made, above.

• comment David McKinney • Mar 30, 2016

  Actually, it appears it should be 45 days after all. See the amendments tab at http://wapp.capitol.tn.gov/apps/BillInfo/Default.aspx?BillNumber=SB2005

• comment Monique Ferraro • Mar 30, 2016

  Also, by definition, there is no data breach if the data are encrypted. ("47-18-2107. Release of personal consumer information.
  (a) As used in this section, unless the context otherwise requires:
  (1) "Breach of the security of the system" means unauthorized acquisition of unencrypted computerized data that materially compromises the security,  confidentiality, or integrity of personal information maintained by the information holder. Good faith acquisition of personal information by an employee or agent of the information holder for the purposes of the information holder is not a breach of the security of the system; provided, that the personal information is not used or subject to further unauthorized disclosure."

• comment Joseph Cvelbar • Mar 31, 2016

  Actually Monique, the Bill (now law) amended the encryption exception by stating "Tennessee Code Annotated, Section 47-18-2107(a)(1), is amended by
  deleting the word "unencrypted". Now it is considered a breach if there is unauthorized acquisition of any computerized data.

• comment Monique Ferraro • Mar 31, 2016

  Thank you!

• comment Lorie Schrameck • Apr 1, 2016

  My apologies for the correction to David McKinney.  I need to retract my comment regarding the 14 days notice.  When viewing the Tennessee legislature site, it appears that the amendment extending the notice time to 45 days (aprvd 2-21) had been withdrawn since it was approved and then withdrawn within the bill history for the TN Senate (on 3-14) and the available copy of the bill still read as 14 days.  I saw another website in which two people disagreed, so I contacted Pam Greenberg of the National Conference of State Legislatures.  She indicated that is a bit confusing because the bill on the Tennessee website is still in original form, (not the final version), and although the history indicates the amendment was withdrawn, it was only withdrawn in the TN House.  The bill with the amendment passed in the TN senate; therefore, the time limit to report a breach will be 45 days, not 14.   ~ Lorie

• comment Leslie • Apr 1, 2016

  Thanks, David and Lorie. All set now.

• comment Keith Cheresko • Apr 8, 2016

  The FTC had expressed concerns about "notice' fatigue.  What is the purpose of notifying someone that encrypted PII has been breached unless the key was also compromised or the level of encryption was inadequate?  Seems a better solution here would be to reinsert "unencrypted" and if concerned about the level of cypher - specify a minimally acceptable level.

• comment Jim Halpert • Apr 29, 2016

  Commenters and the author of the story had not seen the final version of the law and the caption is incorrect.  The Tennessee law DOES NOT require notice of encrypted data and imposes a 45 day deadline.