The Tennessee legislature recently amended that state’s data breach notification statute. Tennessee now requires information holders to disclose any security or data breach to Tennessee residents “immediately, but no later than fourteen (14) days from the discovery or notification of the breach.” There is an exception if more time is needed for a legitimate law enforcement reason.
Also, the Tennessee legislature changed the rule regarding disclosure of access to encrypted data as well as unencrypted data. Finally, the legislature broadened the definition of “unauthorized user” to include employees of the information holder.
The Governor signed the bill and the law becomes effective July 1, 2016.