Tennessee Disclosure of Data Security Breach
Tenn. Code Ann. § 47-18-2107
SUMMARY:
EFFECTIVE. July 1, 2005
WHO DOES THIS LAW APPLY TO. (1) Any person, business or State agency that conducts business in Tennessee and owns or licenses computerized data that includes Personal Information; and (2) any person, business or State agency that maintains information on State residents which includes Personal Information.
WHAT IS A BREACH. Unauthorized acquisition of unencrypted computerized data that materially compromises the security, integrity or confidentiality of Personal Information maintained by the owner or licensor. A good faith acquisition of Personal Information by an employee or agent of the owner or licensor for internal purposes only is not a breach, if it is not used or subject to further unauthorized disclosure.
WHAT IS PERSONAL INFORMATION. An individual’s first name or first initial and last name in combination with any one or more of the following data elements, when the either the name or data element is not encrypted:
-
Social Security Number.
-
Driver’s license number.
-
Account number, credit card or debit card number in combination with any required security code, access code, or password that would permit access to the individual’s financial account.
Personal Information does not include publicly available information that is lawfully available from Federal, State, or local government records.
WHO TO NOTIFY OF THE BREACH. Notification of the breach must be sent to the Tennessee residents affected. If more than 1,000 individuals are involved in a breach, the person, business, or State agency shall also notify, without unreasonable delay, all consumer reporting agencies that maintain files on consumers nationwide (as defined by 15 U.S.C. § 1618a), of the timing, distribution, and content of the notices.
EXCEPTION. This Section does not apply to the following:
-
The provisions of this Section do not apply to any person who is subject to the provisions of Title V of the Gramm-Leach-Bliley Act of 1999, Pub. L. No. 106-102.
-
A person, business, or State agency which maintains its own notice procedures as part of a Personal Information security policy and is otherwise consistent with the timing requirements of this Section, is considered in compliance with this Section if the affected Tennessee residents are notified by the person, business, or State agency in accordance with its policies.
-
A person or business that is regulated by State or Federal law and maintains procedures for a security breach pursuant to the State or Federal laws or rules, is considered in compliance with this Section, if the affected Tennessee residents are notified in accordance with such policies.
-
Do not need to disclose an event if the stolen data is Information that has been encrypted in accordance with the current version of the Federal Information Processing Standard (FIPS) 140-2 if the encryption key has not been acquired by an unauthorized person.
WHEN TO NOTIFY OF THE BREACH. Notification must be sent when the person, business or State agency discovers or is notified of an incident of unauthorized acquisition. The disclosure shall be made in the most expedient manner possible and without unreasonable delay, consistent with the needs of law enforcement or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system. Notification may be delayed if law enforcement determines that it will impede a criminal investigation. In that instance, notification will be made as soon as possible following clearance by law enforcement.
HOW TO NOTIFY OF THE BREACH. Notice may be provided by one of the following methods:
-
Written.
-
Electronic (if it is consistent with the provisions regarding electronic records and signatures in 15 U.S.C. § 7001).
-
Substitute notice as provided below.
SUBSTITUTE NOTICE AVAILABLE. If the person, business, or State agency can demonstrate that the cost of providing notice will exceed $250,000, the affected class of persons to be notified exceeds 500,000, or the person or business has insufficient contact information, substitute notice may be used. Substitute notice shall consist of all of the following:
-
Email notice if the person or business has an Email address for the individual(s) subject to notice.
-
Conspicuous posting of the notice on the website of the person or business if one is maintained.
-
Notification to major statewide media.
NOTICE TO THIRD-PARTIES. If a person, business, or State agency maintains computerized data that includes Personal Information that it does not own, then the person, business, or State agency shall notify the owner or licensee of the breach immediately upon discovery. The person, business or State agency that owns or licenses the computerized data shall provide notice to the affected individual(s).
CONSEQUENCES FOR FAILING TO NOTIFY. Any non-governmental customer of a person or business that is injured by a violation of this Section may file a civil lawsuit to recover damages and obtain a court order to prevent any further action in violation of this Section. The rights and remedies available under this Section are cumulative to each other and any other rights and remedies available under law.
PRIVATE RIGHT OF ACTION. Yes.
REQUIREMENTS OF REASONABLE SECURITY MEASURES.
DATA DISPOSAL PROVISIONS. Tenn. Code § 39-14-150(g). Notwithstanding any law to the contrary, if a private entity or business maintains a record that contains any of the personal identifying information set out in subdivision (g)(2) concerning one of its customers, and the entity, by law, practice or policy discards such records after a specified period of time, any record containing the personal identifying information shall not be discarded unless the business: (A) Shreds or burns the customer's record before discarding the record; (B) Erases the personal identifying information contained in the customer's record before discarding the record; (C) Modifies the customer's record to make the personal identifying information unreadable before discarding the record; or (D) Takes action to destroy the customer's personal identifying information in a manner that it reasonably believes will ensure that no unauthorized persons have access to the personal identifying information contained in the customer's record for the period of time between the record's disposal and the record's destruction.
LEGISLATIVE UPDATES.
H.B. 2170 – Signed into law on 6/8/2005, Effective 7/1/2005.
S.B. 2005 – signed into law 3/24/2016, Effective 7/1/2016.
S.B. 547 – signed into law 4/4/2017, Effective 4/4/2017.
For more information, see here: https://advance.lexis.com/documentpage/?pdmfid=1000516&crid=acdb0e9f-7b6c-4d05-8be2-e7a33b186940&nodeid=ABVAAUAAVAAH&nodepath=%2FROOT%2FABV%2FABVAAU%2FABVAAUAAV%2FABVAAUAAVAAH&level=4&haschildren=&populated=false&title=47-18-2107.+Release+of+personal+consumer+information.&config=025054JABlOTJjNmIyNi0wYjI0LTRjZGEtYWE5ZC0zNGFhOWNhMjFlNDgKAFBvZENhdGFsb2cDFQ14bX2GfyBTaI9WcPX5&pddocfullpath=%2Fshared%2Fdocument%2Fstatutes-legislation%2Furn%3AcontentItem%3A4X8K-XB40-R03J-K1K5-00008-00&ecomp=vg1_kkk&prid=61361c92-b400-40aa-8b7d-4231c290bf71
These materials were obtained directly from the State Legislative websites and are posted here for your review and reference only. No Claim to Original State Government Works. This may not be the most recent version. The State may have more current information. We make no guarantees or warranties about the accuracy or completeness of this information, or the information linked to. Please check the linked sources directly.