Batson Nolan explains what to do if you’ve been hacked and the latest updates on the Data Breach Law.
The Tennessee Bar Journal Article by W. Russell Taber, III, You’ve Been Hacked, provides up to date statutory information regarding Tennessee law obligations after a data breach occurs. In summary, Tennessee first enacted its data breach notification law in 2005 under the Tennessee Identity Theft Deterrence Act. Tennessee amended its data breach law in 2016. However, there were several amendments that went into effect on April 4, 2017. The current statute defines a “breach of a security system” as “the acquisition of the [following] information…by an unauthorized person that materially compromises the security, confidentiality, or integrity of personal information maintained by the information holder (i) Unencrypted computerized data; or (ii) Encrypted computerized data and the encryption key.
If you are an “information holder” or a “person or business that conducts business in this state, or any agency of this state or any of its political subdivisions, that owns or licenses computer computerized personal information of residents of this state”, you need to know what information must be protected and what obligations are triggered by a breach. The statute provides that “personal information”:
Means an individual’s first name or first initial and last name, in combination with any one (1) or more of the following data elements:
- Social security number;
- Driver’s license number; or
- Account, credit card, or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account; and
Does not include information that is lawfully made available to the general public from federal, state, or local government records or information that has been redacted, or otherwise made unusable….”
If a breach occurs, an information holder must generally disclose the breach to affected Tennesseans within 45 days of the discovery of the breach. Notice may be
- electronic under certain defined circumstances, or
- substitute if the cost of providing notice would exceed $250,000, more than 500,000 persons are affected, or the information holder does not have sufficient contact information and the notice contains the following:
- Email notice, when the information holder has an email address for the subject person;
- Conspicuous posting of the notice on the information holder’s website, if the information holder maintains a website page; and
- Notification to major statewide media.” Unlike some other states, the Tennessee statute does not specify the content to include in the notice.
The statute authorizes an information holder to follow its own notification procedures according to its own notification procedures so long as the timing procedures are consistent with the statute. If the incident requires notification of more than 1,000 persons at one time, all consumer reporting agencies must be notified without unreasonable delay. Credit bureaus that compile and maintain files nationwide on consumers must also be notified. Such notice should include the timing, distribution, and content of the notices.
For more information on the statutory amendment or obligations of businesses triggered by a breach, please review the full Tennessee Bar Journal article, You’ve Been Hacked by W. Russell Taber III through the following link: http://www.tba.org/journal/you-ve-been-hacked.