When data that you maintain is unlawfully accessed, you are obligated, by law, to take certain steps to protect the individuals whose data was involved. Being adequately prepared for a data breach requires a solid understanding of these rules. Much like running a fire drill before there’s any danger of actual fire, you should read and understand federal and state laws around data breaches and notification before you experience a breach.
Earlier this year, Alysia Horn of Asylas worked with Emily Taylor, an attorney with Watson Roach, to deliver a presentation on data breach notification and technical response. We are constantly referencing Emily’s summary on notification laws and know that our wider audience would appreciate having the information handy too. If you are operating a business that maintains any kind of data in Tennessee, this is for you!
First, Some Definitions
- Application: Any person or business that conducts business in Tennessee, or any agency of Tennessee or any of its political subdivisions that owns or licenses computerized data that includes personal information (“PI”).
- Security Breach Definition: “…the acquisition of the [following] information…by an unauthorized person that materially compromises the security, confidentiality, or integrity of personal information maintained by the information holder: (i) Unencrypted computerized data; or (ii) Encrypted computerized data and the encryption key…”
- Information Holder: Legally this is “a person or business that conducts business in this state, or any agency of this state or any outfits political subdivisions, that owns or licenses computerized personal information of residents of this state.”
- Unauthorized Person: This term can include “an employee of the information holder who is discovered by the information holder to have obtained personal information with the intent to use it for an unlawful purpose.” Thus, a rogue employee’s misappropriation of personal information may constitute a breach under the statute.
What is a Data Breach Under Tennessee Law?
- Your situation may constitute a breach if the following information is affected:
- An individual’s first name or first initial and last name, plus (1) or more of the following data elements:
- (i) Social security number;
- (ii) Driver license number; or
- (iii) Account, credit car, or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account
- An individual’s first name or first initial and last name, plus (1) or more of the following data elements:
- Your situation is not a breach if: the information is lawfully made available to the general public from federal, state, or local government records or the information that has been redacted, or otherwise made unusable (i.e., encrypted data).
An Endorsement for Encryption
- Under the current statute, “[e]ncrypted means computerized data that is rendered unusable, unreadable, or indecipherable without the use of a decryption process or key and in accordance with the current version of the Federal Information Processing Standard (FIPS) 140-2.”
- The unauthorized acquisition of encrypted information (without the decryption key) is not a data breach.
- This provides an important safe harbor for entities that encrypt data before transmitting it and storing it.
OK, It’s a Breach, What Are My Obligations?
- Under the statute, an information holder must generally disclose the breach to affected Tennessee residents within 30 days of discovery or notification of a breach of system security.
- Tennessee is somewhat in the minority of other states in that it specifies a certain amount of time to provide notice of the breach.
- The law recently changed from 45 days to 30 days.
- Providing notice:
- Notice may be (1) written, (2) electronic under certain defined circumstances, or (3) substitute if the cost of providing notice would exceed $250,000, more than 500,000 persons are affected, or the information holder does not have sufficient contact information and the notice contains the following:
- “(A) Email notice, when the information holder has an email address for the subject person;
- (B) Conspicuous posting of the notice on the information holder’s website, if the information holder maintains a website page; and
- (C) Notification to major statewide media.”
- Unlike some other states, the Tennessee statute does not specify the content to include in the notice. For example, Massachusetts requires certain content in data breach notices:
- “The notice to be provided to the resident shall include, but not be limited to, the consumer’s right to obtain a police report, how a consumer requests a security freeze and the necessary information to be provided when requesting the security freeze, and any fees required to be paid to any of the consumer reporting agencies, provided however, that said notification shall not include the nature of the breach or unauthorized acquisition or use or the number of residents of the commonwealth affected by said breach or unauthorized access or use.” Mass. Gen. Laws ch. 93H, § 3(b) (2017)
- Breaches involving more than 1,000 people
- If the incident requires notification of more than 1,000 persons at one time, you must notify, without unreasonable delay:
- All consumer reporting agencies; and
- All credit bureaus that compile and maintain files on consumers on a nationwide basis, of the timing, distribution, and content of the notices.
- If the incident requires notification of more than 1,000 persons at one time, you must notify, without unreasonable delay:
- Notice may be (1) written, (2) electronic under certain defined circumstances, or (3) substitute if the cost of providing notice would exceed $250,000, more than 500,000 persons are affected, or the information holder does not have sufficient contact information and the notice contains the following:
Failure to Meet the Legal Obligations of the Statute
- The statute provides a private right of action for customers injured by its violation to recover damages and injunctive relief, in addition to any other rights and remedies available under the law.
- There is a dearth of case law interpreting this statute.
- Tenn. Code Ann. § 47-18-2106 provides that any violation of the Data Breach Statute is a violation of the Tennessee Consumer Protection Act. Violations of TCPA can lead to triple damages!
- Another statute, Tenn. Code Ann. § 47-18-2104 requires a party commencing a private action under this part to provide a copy of the complaint and initial pleadings to the Tennessee division of consumer affairs.
- This statute further specifies a two-year statute of limitations, except when the defendant concealed the liability from the plaintiff. In that case, the party has two years after the discovery by the person of the liability.
- Not all state data breach statutes create a private right of action. The Tennessee statute requires that the person suing has been “injured.”
What About HIPAA and GLBA?
- Tennessee’s data breach notification statute does not apply to any information holder that is subject to HIPAA, as expanded by the 2009 HITECH Act, or the Gramm-Leach-Bliley Act of 1999.
- HIPAA applies to “covered entities,” which includes health care providers, health plans and health care clearinghouses.
- Under the HITECH Act, HIPAA also applies to law firms and other entities if they are “business associates” performing services for a covered entity that involve the use or disclosure of protected health information.
- The Gramm-Leach-Bliley Act applies to financial institutions, defined as any U.S. companies that are “significantly engaged in financial activities,” Financial institutions include, among others, banks, investment advisory companies and mortgage lenders.
- Notification under HIPAA and GLBA
- The notification procedures under HIPAA and the Gramm-Leach-Bliley Act differ from the Tennessee data breach statute.
- For instances, HIPAA’s requirements apply to “unsecured protected health information” (rather than “personal information” under the Tennessee statute), specify content to include on the notification (unlike the Tennessee statute, which contains no such instructions), and generally mandate notification “without unreasonable delay and in no case later than 60 calendar days after discovery of a breach” (unlike the 45-day period in the Tennessee statute).
- Guidance for responding to a breach implicating the Gramm-Leach-Bliley Act appears in the Interagency Guidelines Establishing Information Security Standards, 12 C.F.R. Part 30, App. B.
- Among other things, these standards define the type of information that triggers a duty to notify (“sensitive customer information”), state that financial institutions should notify customers “as soon as possible” if the institution determines that there is a reasonable possibility that their information will be misused, and specify the content that should be included in the notification.
What Are Common Causes of Legal Action?
- Negligence: a number of courts in a number of states have acknowledged a legal duty to secure personal information.
- A lack of case law leaves many of the following questions unanswered at this time:
- Would the governmental entity retain immunity? Would an employee of the entity retain immunity if the employee is responsible for the breach? It likely depends on the facts and circumstances.
- Would caps apply to a negligence claim?
- A lack of case law leaves many of the following questions unanswered at this time:
- Negligent misrepresentation – cases have proceeded on the theory that defendants have impliedly represented that they will protect data.
- Contract law claims – where explicit commitments have been made about data security, plaintiffs have sued on those contractual duties.
- Breach of fiduciary duty claims require that Plaintiffs show a relationship of trust but have been used to sue when data breaches have occurred.
- Consumer law claims. (See the Tennessee Consumer Protection Act.)
- Causes of action under Tenn. Code Ann. 47-18-2901
- Part of the same section of the code as the Data Breach Statute. It specifically addresses the security of laptop computers and other removable storage devices.
- “All municipalities…shall create safeguards and procedures for ensuring that confidential information is securely protected on all laptop computers and other removable storage devices used by the municipality or county.”
- “Failure to comply with this section shall create a cause of action for damages…against the municipality…if a citizen proves by clear and convincing evidence that the citizen was a victim of identity theft due to the failure to provide safeguards and procedures regarding the citizen’s confidential information.”
A Breach Generates the Need to Make Difficult Decisions
The bottom line is that preparing for a breach means considering how to answer all of the questions below.
- Is it a breach?
- Do you need to provide notice? If yes, who do you notify and when?
- Do you involve law enforcement?
- Do you hire a forensics company?
- Do you retain counsel?
- Do you involve regulatory agencies?
- Is crisis management necessary?
- Do you offer credit monitoring?
- Do you get relief from a “law enforcement” delay?
If you’ve read through all of Emily’s information but still feel unprepared, reach out to Asylas at 615-622-4591 or email info@asylas.com. Or complete our contact form.