Tennessee Data Breach Law

Tennessee Code § 47-18-2107

Enacted:  6.18.2005

Type of Data Covered: Computerized or electronic data. 

​

Is Breach Defined?

"Breach of system security":

• (A)  Means the acquisition of the information set out in subdivision (a)(1)(A)(i) or (a)(1)(A)(ii) by an unauthorized person that materially compromises the security, confidentiality, or integrity of personal information maintained by the information holder:

  • (i)  Unencrypted computerized data; or

  • (ii)  Encrypted computerized data and the encryption key; and

• (B)  Does not include the good faith acquisition of personal information by an employee or agent of the information holder for the purposes of the information holder if the personal information is not used or subject to further unauthorized disclosure."

​

​

When is notice required?

​

Notice is required for all affected residents "...no later than forty-five (45) days from the discovery or notification of the breach of system security, unless a longer period of time is required due to the legitimate needs of law enforcement..." Breaches affecting over 1,000 residents trigger reporting requirements to consumer credit agencies. Notice may be written, electronic, or via "substitute notice" procedures, depending on circumstances.

​

What are the penalties for non-compliance?

​

Violations have their own section of the law, § 47-18-2107(h), which reads as follows: 

​

• "(h)  Any customer of an information holder who is a person or business entity, but who is not an agency of this state or any political subdivision of this state, and who is injured by a violation of this section, may institute a civil action to recover damages and to enjoin the information holder from further action in violation of this section. The rights and remedies available under this section are cumulative to each other and to any other rights and remedies available under law."

​

​