06 Sep Beware of Recent Data Breach Changes in Tennessee
Tennessee Tech Companies: take note of several significant changes to our state’s data breach statute made effective this summer (July 1, 2016).
Prior to the recent change, Tennessee’s breach notification statute stated, among other things, that persons, businesses and government agencies in Tennessee that own or license computerized data containing personal information must disclose breaches of the security of their systems to Tennessee residents whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. Disclosures had to be made “in the most expedient time possible and without unreasonable delay,” subject to statutory qualifications. Notably, that requirement did not include a numerical deadline. A similar requirement applied to “information holders” who maintain computerized data on behalf of others. Such information holders had to notify owners or licensees of computerized data of breaches immediately following discovery.
The Tennessee General Assembly changed the breach notification statute in several ways. Here are the key changes and practical considerations:
- First, the statue will no longer apply to entities subject to the HIPAA. This will be a welcome development for entities considered covered entities or business associates under HIPAA, including health care providers, health plans and the vendors who access patient information while providing services on their behalf. However, entities subject to HIPAA should not assume that they will never experience situations where the Tennessee breach notification statute applies. For example, such entities hold personnel information not subject to HIPAA. As a result, they should seek advice regarding the application of federal and Tennessee law to all business departments to ensure their compliance procedures are appropriately nuanced.
- Second, in lieu of the former soft reporting timeframe, the statue now states that entities must provide breach disclosures “immediately, but no later than 45 days” after becoming aware of a breach. Entities that will remain subject to the Tennessee breach notification requirement should modify their data breach response procedures to take this new 45 day deadline into account.
- Third, the word “unencrypted” has been deleted from the statute. Practically, this means that encryption of information will no longer automatically render a breach of such information not a breach for purposes of the breach reporting requirement. However, encryption may still be relevant in determining whether an unauthorized acquisition of data “materially compromises the security, confidentiality, or integrity of personal information” and triggers the breach reporting requirement.
Last but not least, the statute now indicates that an “unauthorized person” includes “an employee of the information holder who is discovered by the information holder to have obtained personal information and intentionally used it for an unlawful purpose.” This change clarifies that breaches are not limited to acquisitions of information by outsiders. Internal breaches can result from the actions of employees, and entities should take steps to guard against such breaches—including appropriate segregation of information and restricting employee access to personal information based upon job function.
Cal Marshall, Jr.
Attorney, Chambliss Law Firm