Like nearly every other state, Tennessee has a data breach notification law that requires businesses to notify customers of a breach of their personally identifiable information. The Tennessee Identity Theft Deterrence Act has been in effect since 1999, and the breach notification provision was added in 2005.
However, the new law provides that notification “shall be made immediately” but, in any instance, no later than 45 days from discovery of the breach.
While 45 days may seem like more than sufficient time to provide notification, a business caught flat-footed and unprepared to address a data breach may have a difficult time complying.
Another significant change is that encryption will no longer provide an unqualified “safe harbor” to breach notification.
Mr. Joy has earned the Certified Information Privacy Professional/United States (CIPP/US) credential through the International Association of Privacy Professionals (IAPP).