The National Law Review reported that Tennessee's data breach notification statute had been amended when Tennessee Governor Bill Hallam signed into law S.B. 2005. The amendment takes effect on July 1, 2016.
Under the amendment, notification of a data breach must now be provided to any affected Tennessee resident within 45 days after discovery of the breach (absent a delay request from law enforcement). Previously, and like the vast majority of states, Tennessee's statute required disclosure of a breach to be made in the most expedient time possible and without unreasonable delay.
The bill also amends the statute to specify that an "unauthorized person" includes an employee of the information holder who is discovered to have obtained personal information and intentionally used it for an unlawful purpose. This amendment is likely focused on entities which failed to provide notification of data incidents which were the result of improper access by employees.
More importantly, the amendment removes the provision in the existing statute requiring notice only in the event of a breach of unencrypted personal information. Accordingly, by expanding this provision, it appears Tennessee will be the first state in the country to require breach notification regardless of whether or not the information involved in the breach was encrypted.
I don't understand this change and could not find the rationalization behind the change, which makes no sense to me. This change apparently punishes those who have invested time and money into properly securing their data. Absent any reason to think that the encrypted data was somehow decrypted, why punish companies for doing the right thing and subjecting them to the inevitable negative publicity? I am flummoxed by this amendment.
If any RTL readers know the reasoning behind this part of the amendment, I'd be mighty curious to hear it.
E-mail: firstname.lastname@example.org Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology