David M. Brown reported on April 1, 2016 in Data Breach Notification Laws that the State of Tennessee has passed and received the Governor’s signature on revisions to its breach notification requirements.
This law goes into effect on July 1, 2016 and could have significant impacts to Tennessee businesses and others, especially if other states follow Tennessee with enacting stronger breach notification requirements.
Three of the changes to this law include: 1) a shorter notification timeframe, 2) the removal of “safe harbor” provisions for data encryption and 3) a change in the definition of “unauthorized person.” A fourth statement surrounding breach notification was already within the law, but it is worth repeating here.
Shorter Notification Timeframe — A breach is now defined in § 47-18-2107(a)(1) of Tennessee State law, as “unauthorized acquisition of unencrypted computerized data that materially compromises the security, confidentiality or integrity of personal information maintained by the information holder.” Notification of the breach must occur within 45 days of discovery, whereas most Federal laws are 60 days.
Notification Regardless of Encryption Status — Upon the discovery of access to Personal Identifiable Information (PII) data by an “Information holder,” businesses must decide if the access was reasonable and appropriate or not. If not, it must file a breach, regardless of whether the data was encrypted or not. As signed by the Governor, Tennessee becomes the first state to remove “safe harbor” for encrypted data.
Re-defined Information Holder — An Information Holder is defined as any person or business that conducts business in this state, or any agency of the state of Tennessee or any of its political subdivisions, that owns or licenses computerized data that includes personal information.
Breach Notification Process — Any information holder shall disclose any breach of the security of the system, following discovery or notification of the breach in the security of the data, to any resident of Tennessee whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person, whether the data is encrypted or not. Personal information is defined as name and any combination of SSN, driver’s license number, account number, credit/debit card number, or password.
Businesses with already established breach notification processes can use those existing processes as long as the timing requirements (45 days) of the Tennessee law are complied with.
While there is no minimum count on the number of persons involved in a breach (meaning that a Tennessee business has to report a breach of just one person), there are certain alternate notification methods for breaches with notification costs that would exceed $250,000 or 500,000 persons. Additionally, any breach involving 1,000 persons or more requires the business to notify, without unreasonable delay, all consumer reporting agencies and credit bureaus that compile and maintain files on consumers on a nationwide basis, as defined by 15 U.S.C. § 1681a, of the timing, distribution and content of the notices.
With the removal of “safe harbor” status for encryption, future case law involving data breaches may now decide whether an organization’s encryption technologies were sufficient to prevent disclosure or not. Tennessee businesses which have not adopted encryption or are still using weak encryption technologies should be advised to migrate to stronger encryption technologies; rather than continue to run at-risk.
Tennessee businesses that have not already adopted some Identity and Access Management policies, procedures, and/or software may want to take actions to develop this service within their businesses to reduce the number of personnel that have access to PII data.
Tennessee businesses need to ensure that all accesses to PII are tracked and logged and adopt corporate policies for information security, confidentiality, and integrity of PII. Additionally, businesses need to audit these logs on a periodic basis to ensure that “information holders” (i.e., employees or agents) are properly following company policies regarding confidentiality, security, and integrity of PII.
The auditors should look for “out of normal” access by valid “information holders” and any access by invalid “information holders.” These audits should also be retained as evidence of an on-going, mature information access policy.
If Tennessee businesses engage third-party any agency as a part of their on-going business operations, these third-party agent(s) must agree to provide copies of audit log reviews on a periodic basis for the PII data provided to the agent(s) by the business. The reason for this is due to the fact that a business’s “agents” are included in the “information holder” definition.
Tennessee businesses may also want to ensure that it understands whether or not any current or future agent(s) sell PII or de-identified PII data to other third-parties.
Tennessee businesses may want to implement forced encryption of all secondary media containing PII data to reduce the likelihood of disclosure, in the event of a lost/stolen USB stick. There are numerous tools available for USB encryption for both Windows and Macintosh, but it is recommended to stay with tools supported by the O/S manufacturer – BitlockerToGo for Windows 7 and higher, and FileVault-2 for Macintosh OS/X.
These new breach notification requirements require Tennessee businesses to have stronger controls on accesses to PII data within and outside of its domain both by its staff and 3rd-party staff. It’s also noteworthy that “account number” is included in the definition of “personal information” and every business creates account numbers for its customers. Therefore, the applicability of this law if for all Tennessee businesses, regardless of their status: for-profit, non-profit, or not-for-profit.
It is also important to note that Amendment #1 to this law removed these breach notification requirements from any person or entity that is subject to federal law governing HIPAA as expanded by the Health Information Technology for Clinical and Economic Health (HITECH) Act. This is primarily due to the fact that these businesses already have federally mandated breach notification procedures as described in the HITECH Act.