On March 24th, Tennessee Gov. Bill Hallam signed S.B. 2005 into law, breaking new ground in privacy law. The law takes effect on July 1.
While there are a couple of interesting features of this amendment to the existing Tennessee privacy law, the biggest change is that, effective, July 1, companies that have a breach will have to notify Tennessee residents about the breach, even if the data that was taken was encrypted. This makes Tennessee the first state in the country to have this requirement. IF you have a breach, THEN you must notify the victims.
Other features of the amendment include a requirement to notify victims within 45 days unless the cops ask the company to delay that notification. Many state laws just say you should notify people quickly.
The other major feature is a requirement to notify victims if the person taking the data was an employee, operating in excess of his authority and using it for an unlawful purpose. This means that you can’t say that an employee accessing data inappropriately is okay – it is a breach.
My speculation is that this amendment is designed to stop companies from hiding the fact that they were breached.
Whether other states will follow suit is unknown.
In today’s world, many companies operate in every state, so if the company has a breach, it will have to notify victims. If the data was encrypted, then technically, they will only have to notify Tennessee residents, but that could get sticky politically, so likely they will have to notify everyone.
We live in a dynamic world.
Information for this post came from National Law Review.