The State of Tennessee recently amended its data breach notification statute, Tenn. Code Ann. § 47-18-2107, which is set to go into effect on July 1, 2016. Numerous commentators have proclaimed that the amendment1 marks a watershed moment—that with the enactment of S.B. 2005, Tennessee becomes the first state to eliminate the encryption safe harbor from its data breach notification statute. However, this is not the case; Tennessee has not removed its primary encryption safe harbor. Even under the amended Tennessee law, data encryption remains an important method for securing data, and one that may reduce notice obligations if a breach occurs.
S.B. 2005 makes three changes to the breach notification statute that may impact whether Tennessee’s notification law applies to a particular data breach situation, and when organizations must send notices to affected individuals.
Clarification for Breaches Involving Employees’ Unlawful Acts
The Tennessee statute requires organizations to provide notice to Tennessee residents when a data breach results in an unauthorized person acquiring personal information held by the organization. The amendment clarifies that an unauthorized person includes an employee who obtains personal information and intentionally uses it for an unlawful purpose.
New Notice Deadline
The Tennessee amendment also adds immediacy and a specific deadline for breached organizations to notify affected individuals. Prior to the amendment, the statute required breached organizations to provide notice in the most expedient time possible, taking into account the needs of law enforcement, and the need for taking measures necessary to determine the scope of the breach and to restore the reasonable integrity of the data system involved. This flexible timing element permitted organizations to focus on responding to the breach and mitigating damage before turning their attention to notifying affected individuals.
The amended statute requires organizations to provide notice to affected individuals “immediately” and no later than 45 days from the date they learn of a breach.2 Notice must be made in this time frame regardless of whether the breached organizations know the full scope of the breach or have fixed the breach. This new requirement may slow an organization’s response to mitigate the damage from a data breach, because instead of focusing all of their time and resources to remedy the breach, at least some of the organizations’ efforts will be spent preparing and sending notices to affected individuals. Additionally, organizations may be unable to determine the full scope of a breach within 45 days. In such situations, organizations will need to send notices within the 45 days and may need to send follow-up notices if they learn additional information about the breach that may be important for affected individuals. Consequently, this statutory requirement may potentially cause organizations to send multiple notices to affected individuals for the same breach, which may unnecessarily frustrate or alarm affected individuals. The amended statute still allows organizations to delay notice for law enforcement purposes.
Clarification on Encrypted Data
Prior to its amendment, the Tennessee statute referenced encryption twice—once in the definition of “breach” and once in the definition of “personal information.” The amendment removed the reference to encryption in the definition of “breach,” but retained the reference to encryption in the definition of “personal information.” Thus, the primary encryption safe harbor remains in the amended statute.
Previously, the statute stated that a “breach” was the “unauthorized acquisition of unencrypted computerized data that materially compromises the security, confidentiality, or integrity of personal information maintained by the information holder.”3 The statute defined “personal information” as “an individual’s first name or first initial and last name, in combination with any one (1) or more of the following data elements, when either the name or the data elements are not encrypted (i) Social security number; (ii) Driver license number; or (iii) Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.”4 To analyze organizations’ notification obligations under the prior Tennessee statute following a data breach, organizations would identify: (1) what computerized data was involved; (2) what personal information was involved; and (3) what data was encrypted. Breach incidents commonly involve more than personal information, and the statute required a risk analysis of all unencrypted computerized data involved in the breach, not just personal information, to determine whether acquisition of the unencrypted data could compromise the security of an individual’s personal information. Under the prior version of the statute, if all of the affected data was encrypted, there was no breach under the law.
The amended Tennessee statute eliminates the reference to encryption in its definition of “breach,” which affects the breach analysis, but does not remove the primary encryption safe harbor. A “breach” is now the “unauthorized acquisition of computerized data that materially compromises the security, confidentiality, or integrity of personal information maintained by the information holder.”5 This means that even encrypted data that was acquired by an unauthorized person should be analyzed as part of the breach risk assessment when affected individuals are located in Tennessee. Under the amended Tennessee statute, it is possible that notice is required following a breach of encrypted data that could potentially compromise the security of unencrypted personal information. Importantly, under the amended Tennessee statute, breach notification obligations potentially apply only if either an individual’s name or the other personal information data elements listed in the statute, such as social security number, driver license number or account number in combination with an access code or password, are not encrypted. Therefore, encrypting personal information remains an important safe harbor under the Tennessee breach notification statute.
Overall, S.B. 2005 makes several important changes to the Tennessee breach notification statute. It clarifies that a breach under the law may occur when an employee uses personal information unlawfully. It sets a new notice deadline for a breach, which may prompt organizations to provide notice to affected individuals more quickly than they might have previously. Finally, it modifies the role of encryption such that organizations now need to consider whether any encrypted data acquired in a breach could threaten the security of unencrypted personal information. Importantly, the amended statute is not the potentially momentous and novel change professed by numerous sources, as Tennessee has not removed its primary encryption safe harbor.
1 S.B. 2005/H.B. 1631, available at http://www.capitol.tn.gov/Bills/109/Bill/SB2005.pdf.
2 Id. at Section 3(b); Amendment 012397 to S.B. 2005 increasing proposed notification deadline from 14 days to 45 days, available at http://www.capitol.tn.gov/Bills/109/Fiscal/FM1398.pdf.
3 §47-18-2107(a)(1) (emphasis added).
4 §47-18-2107(a)(3)(A) (emphasis added).
5 S.B. 2005/H.B. 1631, available at http://www.capitol.tn.gov/Bills/109/Bill/SB2005.pdf.