Earlier this year, Tennessee revised its data breach law, Tennessee Code 41-18-2107. Under the old law, an entity need only disclose a data breach where the unencrypted "personal information" of a Tennessee resident was or is reasonably believed to have been acquired by an unauthorized person. Tennessee Code 41-18-2107(b). The revised law removes the encryption safe harbor. Now, an entity must disclose any data breach where the "personal information" of a Tennessee resident was or is reasonably believed to have been acquired by an unauthorized person -- regardless of encryption status. TN S.B. 2005.
Thus, an entity must be mindful that encrypting personal information may not excuse it from complying with state data breach laws.
- Henry Park
No comments:
Post a Comment