Tennessee amends its data breach statute: data breach notification required also in case of loss encrypted data

Tennesee legislatureTennessee has modified its data breach statute. See here .Three important points:

1) the definition of data breach requiring notification now includes loss of encrypted data (not only unencrypted as before). Tennessee is first jurisdiction to provide this way;

2) the notification must be given to residents of Tennessee within a specific time limit: 45 days from the discovery of the data breach. In the majority of other states (as it was true in Tennessee before the amendment) statutes do not specify a specific time frame for notification (even if many provide “without delay”). As a comparison, you can consider that Florida is the only states with a shorter time frame (30 days)

3) the definition of “unauthorized person” is broader now including also “an employee of the information holder who is discovered by the information holder to have obtained personal information and intentionally used it for an unlawful purpose.”

The amended statute will be effective from July 1, 2016.

More here

For more information Francesca Giannoni-Crystal