Amended Tennessee Breach Notification Law Tightens Timing Requirement
Time 1 Minute Read
Categories: Identity Theft, Information Security, Security Breach, U.S. State Law

On March 24, 2016, Tennessee Governor Bill Haslam signed into law S.B. 2005, as amended by Amendment No. 1 to S.B. 2005 (the “Bill”), which makes a number of changes to the state’s data breach notification statute, Tenn. Code § 47-18-2107. The amendments take effect on July 1, 2016.

The Bill:

  • Requires businesses and state agencies to notify affected individuals “immediately, but no later than 45 days from the discovery or notification of the breach, unless a longer period of time is required due to the legitimate needs of law enforcement.” Before the amendment, the statute required notification “in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement.”
  • Eliminates a provision from the statute which triggered notification obligations only where there had been access to, or acquisition of, unencrypted personal information. Under the Bill, notification obligations may be triggered even where the accessed or acquired data elements are encrypted.
  • Defines “unauthorized person” for purposes of triggering notification obligations, to specifically include “an employee of the [business or agency] who is discovered by the [business or agency] to have obtained personal information and intentionally used it for an unlawful purpose.”
Tags: Consumer Protection, Legislation, Personally Identifiable Information
Print Email Twitter/X Linkedin Facebook

You May Also Be Interested In

Time 2 Minute Read
Illinois’ Damages Limitation for Biometric Privacy Violations Applies Retroactively  

On April 1, 2026, the U.S. Court of Appeals for the Seventh Circuit held that the 2024 amendment to Illinois’ Biometric Information Privacy Act, limiting damages, applies retroactively to pending cases.

Continue Reading ›
Print Email Twitter/X Linkedin Facebook
Time 3 Minute Read
Connecticut AG Clarifies AI Compliance Obligations Under CTDPA

The Connecticut Attorney General recently issued a legal memorandum regarding the application of existing Connecticut laws, such as the Connecticut Data Privacy Act, to the use of artificial intelligence.

Continue Reading ›
Print Email Twitter/X Linkedin Facebook
Time 1 Minute Read
Guardrails for Legal AI: What California’s SB 574 Would Require of Attorneys and Arbitrators

As reported on the Hunton Employment & Labor Perspectives blog, SB 574 is a California bill that would set specific duties for attorneys who use generative artificial intelligence and would restrict how arbitrators may use such tools in decision-making.

Continue Reading ›
Print Email Twitter/X Linkedin Facebook
Time 3 Minute Read
Oklahoma Enacts Comprehensive Consumer Privacy Law

On March 20, 2026, Oklahoma Governor Kevin Stitt signed SB 546 into law, enacting the Oklahoma Consumer Data Privacy Act, which will take effect on January 1, 2027.

Continue Reading ›
Print Email Twitter/X Linkedin Facebook

Search

Subscribe Arrow

Recent Posts

Categories

Tags

Archives

Jump to Page