The 2017 Amendment of Tennessee Data Breach Notification Law

This April, Governor Bill Haslam signed into law an amendment to Tennessee’s Encryption Safe Harbor Statue. The encryption safe harbor allows for the nondisclosure of encrypted data incidents, so long as the information was not accessed. The amendment to the statute requires that any organization with a data breach that could potentially expose unencrypted personal information, or where there is access to the encryption key, to submit a notification.

The Tennessee Encryption Safe Harbor Law Amended

Encryption is computerized data that is indecipherable without a decryption key. To be protected by the Safe Harbor Law your encryption must be in accordance with the current version of the Federal Information Processing Standard (FIPS) 140-2. The requirement of a breach notification deadline is 45 days after a breach discovery. The 45 days does not apply if law enforcement decides a release may impede a criminal investigation.

A breach of encrypted data without the encryption key does not have to be reported under the safe harbor law. The hope is that this will encourage organizations to encrypt their data. Practicing a proper cybersecurity plan will include encryption of data to prevent access in the case of a breach.

Tennessee businesses that own or license digital personal information must abide by the Data Breach Notification Statute. The exception are entities subject to Title V of the Gramm-Leach-Bliley Act of 1999 or the Health Insurance Portability and Accountability Act of 1996 as expanded by the Health Information Technology for Clinical and Economic Health Act.

A breach that affects unencrypted personal information must be reported. Personal information could include anything from names, social security numbers, driver license numbers, or access codes to financial accounts. The law states that the data must be in the correct encryption form. The safe harbor does not apply if the encryption key of the encrypted data is compromised. If the decryption key is accessible to the individual that hacked encrypted data, you must make a notification of the breach.

Tennessee is one of 47 states with data breach notification laws, these laws also apply in Washington D.C. and three U.S. territories. Depending upon your location there are federal and state data breach laws that you must be aware of for your organization compliance.

The amendment of the data breach safe harbor statute encourages cybersecurity practices. To ensure that your data encryption follows the Federal Information Processing Standard (FIPS) 140-2 contact Crossroads using the form below. We have assisted organizations for 20 years to maintain an optimized and secure IT solution and we can help your cybersecurity today.