Ride the Lightning

Cybersecurity and Future of Law Practice Blog
by Sharon D. Nelson Esq., President of Sensei Enterprises, Inc.

Tennessee’s New Breach Notification Statute Requires Disclosure of Encrypted Data

May 3, 2016

The National Law Review reported that Tennessee's data breach notification statute had been amended when Tennessee Governor Bill Hallam signed into law S.B. 2005. The amendment takes effect on July 1, 2016.

Under the amendment, notification of a data breach must now be provided to any affected Tennessee resident within 45 days after discovery of the breach (absent a delay request from law enforcement). Previously, and like the vast majority of states, Tennessee's statute required disclosure of a breach to be made in the most expedient time possible and without unreasonable delay.

The bill also amends the statute to specify that an "unauthorized person" includes an employee of the information holder who is discovered to have obtained personal information and intentionally used it for an unlawful purpose. This amendment is likely focused on entities which failed to provide notification of data incidents which were the result of improper access by employees.

More importantly, the amendment removes the provision in the existing statute requiring notice only in the event of a breach of unencrypted personal information. Accordingly, by expanding this provision, it appears Tennessee will be the first state in the country to require breach notification regardless of whether or not the information involved in the breach was encrypted.

I don't understand this change and could not find the rationalization behind the change, which makes no sense to me. This change apparently punishes those who have invested time and money into properly securing their data. Absent any reason to think that the encrypted data was somehow decrypted, why punish companies for doing the right thing and subjecting them to the inevitable negative publicity? I am flummoxed by this amendment.

If any RTL readers know the reasoning behind this part of the amendment, I'd be mighty curious to hear it.

E-mail: Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology
http://www.senseient.com
http://twitter.com/sharonnelsonesq
www.linkedin.com/in/sharondnelson

Sharon D. Nelson, Esq.
President

Subscribe in a Reader

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Ride the Lightning

Tennessee’s New Breach Notification Statute Requires Disclosure of Encrypted Data

Subscribe for More!

Recent Posts

Listen to the Podcast

Disclaimer