On April 4, 2017, Tennessee Governor Bill Haslam signed into law an amendment to the state’s data breach notification law, making two substantive changes to the statute:
- Adding a technically specific safe harbor encryption provision; and
- Adding a 45 day window to complete breach notification, when required.
Overall Summary of Breach Notification Law
Tennessee’s data breach notification law applies to any person or business conducting business in Tennessee that owns or licenses computerized data that contains “personal information.” “Personal information” is defined under the statute as a person’s first name or initial and last name combined with:
- Social security number;
- Driver’s license number; or
- Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.
“Personal information” does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records. Covered entities that are subject to Title V of the Gramm-Leach-Bliley Act of 1999 or the Health Insurance Portability and Accountability Act of 1996, as expanded by the Health Information Technology for Clinical and Economic Health Act, are exempt from the law.
The statute requires covered entities to disclose a “breach in the security of the system” to any resident of Tennessee whose personal information was, or is reasonably believed to have been, acquired by an “unauthorized person.”
New Encryption Requirements
Under the new law, the phrase “breach in the security of the system” has been amended to read “breach of system security,” and is defined to mean the acquisition of: (1) unencrypted computerized data; or (2) encrypted computerized data and the encryption key that contains personal information by an unauthorized person that materially compromises the security, confidentiality, or integrity of personal information maintained by the information holder. The new statute defines encrypted to mean “computerized data that is rendered unusable, unreadable, or indecipherable without the use of a decryption process or key and in accordance with the current version of the Federal Information Processing Standard (FIPS) 140-2[.]” FIPS 140 is a US government standard that defines minimum security requirements for cryptographic modules in products and systems, as set forth in Section 5131 of the Information Technology Management Reform Act of 1996. Therefore, under the new amendment, if the information acquired was encrypted pursuant to the FIPS 140-2 standards, and the encryption key was not compromised, notification is likely not required.
The new amendment also imposes a specific time frame for completing notification, when required. Disclosure now must be made no later than 45 days from the discovery or notification of the “breach of system security,” unless a longer period of time is required due to the legitimate needs of law enforcement. Specifically, notification may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation. This change makes Tennessee the eighth state to enact a statute that puts a specific time period on the notification requirement. The majority of states only require notification in the “most expedient time possible” or “without unreasonable delay.”
Cyber threat preparation and monitoring remains the first and best line of defense against data breaches. Dentons helps companies prepare for breach by formulating written incident response plans, conducting table-top exercises with key members of the incident response teams, and advising companies on compliance with data notification reporting requirements, such as the new requirements now applicable in Tennessee. Our team is ready to help you or your business navigate this complicated area of the law, and help with the growing need for encryption requirements.