As of July 1, 2016, Tennessee will become the first state to require companies to notify consumers of data breaches in which their personal information was breached, even if that information was encrypted. On March 24, 2016 Tennessee's Governor Bill Haslam signed SB2005/HB1631, amending Tennessee's Identity Theft Deterrence Act the "ACT") (Tenn. Code § 47-18-2107) to eliminate its safe-harbor for encrypted information. With the amendments, companies with customers in Tennessee will be required to notify those customers if their personal information has been compromised, whether or not such information is encrypted (generally defined as unusable, unreadable, or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security.
Importantly, the amended Act does not apply to any person or entity that is subject to federal law governing HIPAA as expanded by the Health Information Technology for Clinical and Economic Health Act. Notably, HIPAA's Notification Rule (74 FR 42740) establishes a "safe harbor" by eliminating the requirement for an organization to notify affected parties and the federal government in the event of a data breach if the breached data is encrypted, or in a format that is unusable, unreadable, or indecipherable to unauthorized individual in accordance with guidance set forth by the Secretary of the Department of Health and Human Services. In light of the foregoing, organizations subject to HIPAA will not be affected by the amended Act. Companies not subject to HIPAA should update their breach notification policies accordingly.