Tennessee Strengthens Data Security Breach Notification Law

Employers are trying to satisfy similar laws nationwide

By Rosemarie Lally May 5, 2016

As of July 1, companies will be required to notify Tennessee residents of data security breaches concerning their personal information and whether or not the data that was compromised was encrypted. The law highlights the need for employers to know how to notify people of breaches—both in Tennessee and nationwide.

Tennessee, which amended its data breach notification law March 24, is the first state to require breach notification regardless of whether the personal information affected is encrypted.

Prior to passage of Senate Bill 2005, Tennessee had provided a safe harbor for breaches of encrypted personal information, requiring notice only in the event of a breach of unencrypted personal data acquired by an unauthorized person. S.B. 2005 has eliminated that safe harbor.

The amended law also requires immediate notification of a data breach, but “immediate” is defined as no later than within 45 days of discovery, unless law enforcement requests a delay. The state’s law previously had required notification of a breach to be conducted “in the most expedient time possible and without unreasonable delay,” similar to most other state data breach laws.

In addition, Tennessee’s amended law expands the definition of an “unauthorized person” to include an employee of the company who is found to have obtained personal data “and intentionally used it for an unlawful purpose.” This tweak is a minor clarification of “unauthorized person” and is unlikely to affect current reporting obligations because taking personal information for illegal purposes has always required notification, regardless of the actor, according to Eva. J. Pulliam, an associate with Arent Fox in Washington, D.C.

Tennessee’s new provision jettisoning the safe harbor for encrypted personal information isn’t likely to have much effect on businesses, said Jason C. Gavejian, a principal with Jackson Lewis in Morristown, N.J., and a member of its Privacy, e-Communication and Data Security Practice Group. Most small and midsize businesses don’t currently encrypt personal information, other than health and medical data regulated by the Health Insurance Portability and Accountability Act, due to the high cost of encryption, he explained. “To the extent that they don’t currently encrypt, this statute won’t have much impact on them.”

Preparation, Quick Response Are Critical

However, the law’s emphasis on timely notification means that a company must be prepared to deal with a data breach immediately, Gavejian emphasized. “The most important thing a business can do is to develop a comprehensive incident response plan and have it in place ahead of time.”

Employers should act now to put themselves in the best position to respond effectively to a data breach, Gavejian said. Designating in advance an individual who will head up a potential notification effort—someone charged with quickly identifying and responding to a breach—is critical to success.

An incident response plan typically begins with an investigation into exactly what occurred, when and how it happened, the types of data that were affected, and the parties who are affected. It must then be determined whether the incident constituted a data breach under the law, Gavejian said. The plan should specify how notification of the affected parties will be carried out and who will respond to inquiries; having this decided in advance helps assure that the affected parties can be notified as soon as possible.

Gavejian further suggested that companies carry out “tabletop exercises,” like role-playing, to give the individuals who have been tasked with dealing with data breaches experience in coordinating information technology, human resources, public relations and external vendors that would be involved in sending out notification letters to affected parties. “The most important thing is to be in position to respond quickly,” he stressed.

Pulliam urged companies to take the amended Tennessee law “as an opportunity to revisit their breach and incident response plans.” Businesses first need to determine whether they are collecting data from Tennessee residents. Although companies are likely to have provided notice or implemented an incident response plan in the past in situations where encrypted data was breached, Tennessee’s amended law now requires this notice to be given within 45 days in most cases, she said. “If you don’t have [an incident response plan], create one immediately.”

Nearly all states, along with the District of Columbia, Guam, Puerto Rico and the Virgin Islands, have enacted legislation requiring entities to notify individuals of data breaches involving personally identifiable data. The only states having no security breach laws are Alabama, New Mexico and South Dakota.

Fourteen states plus the District of Columbia, Puerto Rico and the Virgin Islands allow a private cause of action for injuries resulting from the failure to notify affected residents of a data security breach.

Timing of Notification

Tennessee joins five other states—Ohio, Rhode Island, Vermont, Washington and Wisconsin—in providing a 45-day deadline for notifying affected residents of a data breach incident.

Only two states have shorter deadlines for notification: Florida amended its law in 2014 to provide a 30-day notice deadline, and Maine requires that notification occur within seven business days after a law enforcement agency determines that notification won’t impede a criminal investigation. The California attorney general’s office recommends notice to affected residents within 10 business days. Connecticut requires notice be given no later than 90 days after discovery of a breach.

Pulliam acknowledged the possibility that deadlines for notification of data breaches may become more widespread in the wake of Tennessee’s action. But she said that states already have the flexibility to review the specific circumstances surrounding a breach to decide whether an entity took longer than necessary or reasonable to notify affected residents of an incident. So while states may consider putting a deadline in place, they may not believe it is necessary, she said.

Further, “once a couple of states have implemented deadlines, it will be in everyone’s best interest to abide by them” since multistate entities won’t want to run afoul of a particular state’s deadline, she said.

Gavejian expressed a similar view, saying that state enforcement agencies generally expect to see notification of a breach within 30 days of its occurrence. Entities delaying notification for more than 30 days will often be required by the agencies to explain the lag time in exhaustive detail—an incentive to deliver prompt notification.

Gavejian also cautioned businesses to be alert to the fact that maintaining information on a Tennessee resident is enough to make Tennessee’s law applicable to that company’s data breach notification efforts; the location of the business is irrelevant.

‘Personal Information’ Defined

Nearly all states’ notification statutes apply only to security breaches involving personal information in electronic form. Only eight states—Alaska, Hawaii, Indiana, Iowa, Massachusetts, North Carolina, Washington and Wisconsin—have statutes that apply to paper records as well.

The definition of “personal information” most commonly used by states is an individual’s first name or first initial and last name plus at least one of the following data elements: Social Security number; driver’s license number or state-issued ID card number; or account number, credit card number or debit card number combined with any security code, access code, PIN or password needed to access an account.

Some states have expanded the definition of “personal information” to include a username or e-mail address in combination with a password that would allow access to an online account; protected medical information; health insurance information; taxpayer identification numbers; passport numbers; savings account numbers; and unique biometric data, such as a fingerprint, a voice print or a retina image.

While certain states, including Connecticut, Florida, Missouri, Oregon, Rhode Island and Texas, have expanded their definitions of “personal information” to include medical or health insurance information, others, such as California, New Hampshire and Virginia, have adopted specific statutes for medical information breach notification.

Gavejian views states’ increasingly expansive and varying definitions of “personal information” as a problem for employers. Businesses must be aware of this trend, keep on top of the changing definitions and stay in compliance with state requirements.

Triggering a Data Breach Notification

More than half the states require companies to report a breach of security to the state attorney general or a state agency, such as the Department of Consumer Affairs or the Department of Public Safety. State laws vary, however, in whether they require the reporting of every security breach or only those affecting a specified minimum number of state residents.

At least 41 states require a risk of harm analysis be undertaken to determine whether the notification requirement is triggered by a data breach. The majority of these states do not require notification if after a good-faith, reasonable and prompt investigation, the company determines that the personal information of the individual has not been and is not likely to be misused as a result of the breach. A handful of states, including Connecticut and Florida, specify that the risk of harm analysis must be made in consultation with relevant federal, state or local law enforcement agencies.

Rosemarie Lally, J.D., is a freelance legal writer and editor based in Washington, D.C.

MEMBERSHIP

Become a SHRM Member

Join/Renew Today

Job Finder

Find an HR Job Near You

SPONSOR OFFERS

Find the Right Vendor for Your HR Needs

SHRM’s HR Vendor Directory contains over 3,200 companies

Search & Connect