What You Don’t Know Can Hurt You—Tennessee Data Breach Law
John Chambers, CEO of CISCO, said that there are two types of computers in the world: those that have been hacked and those that will be hacked. Don’t think you are not at risk because you are not a big national or multinational company. You are at risk of being hacked no matter your size. Hacking isn’t just a problem for Yahoo or a problem for health care providers. In fact small and mid-sized businesses may be more subject to hacking because they are the low hanging fruit and have fewer resources to protect data.
Tennessee has a data breach notification law which was amended last year. The new Tennessee Data Breach Law (TDBL) became effective on 7/1/2016.
Tennessee may now have one of the strictest data breach notification laws in the nation.
You likely hold personal information subject to the law.
TDBL covers information holders—persons or businesses who conduct business in the state and own or license computerized data containing personal information.
Personal information is an individual’s first name or first initial and last name in combination with a social security number, driver’s license number, or account number with a security code. Any company with computerized human resource information will likely have personal information.
Any “information holder” must notify Tennessee residents if there is a breach.
Before 7/1/16 an information holder was required to notify a Tennessee resident of any unauthorized acquisition of unencrypted computerized data that materially compromises the security, confidentiality, or integrity of personal information maintained. Now, an information holder must notify even if the personal information is encrypted and there is a “breach”.
The old TDBL obligated information holders to notify at the most expedient time possible and without “unreasonable delay”. Now they must notify Tennessee residents of any data breach immediately –not later than 45 days following the discovery of a breach, unless law enforcement requests the delay.
The definition of unauthorized access was expanded to include employees who intentionally use personal information for an unlawful purpose. What should you do in view of these changes?
1. Analyze where and how you keep personal information defined by the act.
2. Continue--or start now--to encrypt personal information.
3. Determine what security measures you have and what additional ones you need. Would an independent audit of your security be helpful?
5. Revise your breach notification policies and procedures in light of the change in the law. Oh, you do have a breach notification policy, don’t you?
6. De-identify the personal information.
7. Get rid of old data you are not using. Old data is dangerous data.
If you would like to speak to Debra Fulton on this or any other matter, she may be reached at (865) 546-9321.