Tennessee to Clarify Breach Notice Encryption Exemption

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Andrew M. Ballard

Tennessee lawmakers have cleared a bill ( S.B. 547) to clarify that companies facing a data breach aren’t required to give notice to affected individuals if the personal information involved is encrypted.

Tennessee’s 2005 breach notice law specifically provided an exception to providing notice if the breached data were encrypted. But in 2016, the law was amended to remove the specific exemption but still mentioned encryption as a means of protecting data. That change cast doubt for many on whether the breach notice encryption exception was still allowed under the Tennessee law.

The new amendment would reinstate the encryption language in the statute to remove any doubt that companies need not give breach notice of encrypted data, unless the encryption key was also breached.

A spokeswoman for Gov. Bill Haslam (R) told Bloomberg BNA that the governor plans to sign the bill. The bill would take effect immediately upon Haslam’s signing.

The bill helps remove a perceived disincentive to encrypt data, its sponsors said when introducing it. The bill would help harmonize Tennessee’s data breach notification standards with those of other states, Jason C. Gavejian, privacy attorney and principal at Jackson Lewis PC in Morristown, N.J., told Bloomberg BNA.

Stephen Embry, privacy attorney and member at Frost Brown Todd LLC in Louisville, Ky., told Bloomberg BNA that the bill corrects “a major headache for Tennessee businesses or businesses operating in Tennessee.”

The state breach notice requirements under the law, as amended in 2016, could be interpreted to apply any time a laptop “went missing"—even if it was encrypted, Embry said. Laptops and mobile devices frequently go missing or are stolen, so the current framework provides a tremendous burden on Tennessee companies, he said. The new bill would shield “businesses from notice requirements if the device is password protected,” he said.

In addition to exempting encrypted data from notification requirements, S.B. 547 would clarify that the 45-day time limit for providing notice of a breach could be extended “due to the legitimate needs of law enforcement.”

To contact the reporter on this story: Andrew M. Ballard in Raleigh, N.C. at aballard@bna.com

To contact the editor responsible for this story: Donald Aplin at daplin@bna.com

For More Information

Further information on the bill is available at http://src.bna.com/nnc.

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security