Tennessee Enacts Law Raising Bar for Class Action Data Breach Lawsuits
Tennessee Governor Bill Lee has signed Public Chapter 991 on May 21, 2024, a law that introduces a higher liability threshold for class action lawsuits stemming from cybersecurity incidents, effectively raising the bar for legal pleadings in such cases. This new legislation does not alter the existing requirement for companies to exercise “reasonable care” in safeguarding data nor does it address individual litigation outside of class actions.
Under this new law, plaintiffs in class action suits must prove that the cybersecurity incident was caused by “willful and wanton misconduct or gross negligence” on the part of the private entity involved. The law does not modify the existing “reasonable care” requirement for data protection, nor does it address individual lawsuits outside of class actions. Instead, it imposes a more rigorous pleading standard for class action cases. The law will apply to both for-profit and non-profit entities, including those in the healthcare sector.
This new pleading standard effectively serves as a more stringent requirement for class action data breach lawsuits, making it more challenging for plaintiffs to establish their case.
The law defines a “cybersecurity event” as any occurrence resulting in unauthorized access to, disruption of, or misuse of an information system or the nonpublic information stored on such a system. This includes a variety of scenarios, such as data loss or theft, malware attacks, ransomware, phishing, and business email compromises.
The law defines “nonpublic information” as data that is not publicly available and relates to an individual through identifiers like a name, Social Security number, driver’s license number, financial account details, or biometric records.
Additionally, the new law does not mandate adherence to specific cybersecurity or data protection standards for entities to benefit from the enhanced liability protection.
(Image Credit: iStock Photo)
This article is for information purposes only. It is not intended to be and should not be relied on as legal advice for any particular matter.