New Tenn. Law: No Breach Notice Needed if Data Encrypted

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Andrew M. Ballard

Companies don’t need to notify Tennessee citizens of personal data breaches if the information was encrypted, under a new law that took effect April 4 and clarifies confusion created by a 2016 amendment.

The measure reinstates language in the state’s data breach notice law to remove any doubt that companies do not need to give notice of an encrypted data breach, unless the encryption key is also breached. It took effect with Gov. Bill Haslam’s (R) signature.

Tennessee adopted a breach notification law in 2005 that specifically exempted to providing notice if the breached data were encrypted. But in 2016, the law was amended to remove the exemption. The 2016 amended law, however, still mentioned in another section that encryption was a positive means of protecting data. This created confusion for companies about whether they could still avoid providing notice if the data were encrypted.

Lawmakers and some privacy professionals said the new law will lift a significant burden on Tennessee businesses that faced reporting requirements if laptops and mobile devices went missing, even if the data they contained were encrypted. But others said that consumers affected by a breach may be the losers.

To contact the reporter on this story: Andrew M. Ballard in Raleigh, N.C. at aballard@bna.com

To contact the editor responsible for this story: Donald Aplin at daplin@bna.com

For More Information

Further information on the new law is available at http://src.bna.com/nnc.

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.