- Any person or business that conducts business in Tennessee is only required give data breach notification if the information acquired was unencrypted, according to a recently passed amendment.
Amended Senate Bill 547 states that encrypted data is “computerized data that is rendered unusable, unreadable, or indecipherable without the use of a decryption process or key and in accordance with the current version of the Federal Information Processing Standard (FIPS).”
“A breach of system security occurs when an unauthorized person acquires unencrypted computerized data or encrypted computerized data and the encryption key, and the acquisition materially compromises the security, confidentiality, or integrity of personal information maintained by the information holder,” the bill summary explained.
Furthermore, the amendment extended the 45-day time limit for providing notice after a data breach has been discovered. If “the legitimate needs of law enforcement” require an extension, then an additional 45 days may be taken for supplying notification.
“Under present law, publicly available information that is lawfully made available to the general public from federal, state, or local government records is not ‘personal information’, the acquisition of which by an unauthorized person triggers the notice requirement,” the summary stated.
SB 547 added that an “unauthorized person” includes an “employee of the information holder who is discovered by the information holder to have obtained personal information and intentionally used it for an unlawful purpose.”
The amendment clarified that now an “unauthorized person,” is one who had the “intent to use [the information] for an unlawful purpose.”
The legislation also specified that it does not apply to any information holder that is subject to Title V of the Gramm-Leach-Bliley Act of 1999 or HIPAA as expanded by the HITECH Act.
Tennessee previously updated its data breach notification process in 2016, where SB 2005 removed the word “unencrypted” from describing the type of compromised information that would necessitate notification.
That legislation also had a slightly different notification timeline. SB 2005 stated that calls for disclosure to be made immediately, and no later than 14 days following the discovery of a breach.
“The notification required by this section may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation,” the amendment stated. “The notification required by this section shall be made no later than fourteen (14) days after the law enforcement agency determines that it will not compromise the investigation.”
The most recent Tennessee amendment was signed into law by the state’s governor on April 4, 2017. The legislation read that it would go into effect “upon becoming a law, the public welfare requiring it.”
New Mexico also recently updated its data breach notification process, with a state senate committee passing legislation earlier this year. The bill then moved on to the Senate Judiciary Committee.
The bill requires individuals to be notified should their personal information be involved in a security breach, and also states that consumer reporting agencies, the Attorney General’s office, and card processors in certain circumstances be notified as well.
“A person that owns or maintains records containing personal identifying information of a New Mexico resident shall arrange for proper disposal of the records when they are no longer reasonably needed for business purposes,” the legislation stated. “As used in this section, ‘proper disposal’ means shredding, erasing or otherwise modifying the personal identifying information contained in the records to make the personal identifying information unreadable or undecipherable.”
The New Mexico legislation did not account for medical information or health insurance data in its definition of “personal information.”
Rep. Bill Rehm introduced the legislation and said in February 2017 that this was an important step because New Mexico was one of three states that did not have a data breach notification law.