The Tennessee legislature recently passed a modification to the state privacy breach notification requirements, § 47-18-2107. The modification has been sent to the governor for signature. Unfortunately, the modification just confuses the law’s requirements.
The existing code says that a breach notification is required if “unauthorized acquisition of unencrypted computerized data” takes place. The breach also has to materially compromise the security, confidentiality, or integrity of personal information. This seems clear to me.
The new code says that notification is required when acquisition of computerized data that materially compromises the security, confidentiality, or integrity of personal information takes place. The data does not have to be unencrypted.
However, subsections add an exception for encrypted data. If the data breached is encrypted, breach notification is not triggered. One encryption exception is for data encrypted in accordance with FIPS 140-2, a Federal Information Processing Standard. I have never seen this used in private business. The second exception is for information that has been made “unusable”. On the face of it, this would seem to include any type of “encryption” processes, good or bad.
So, in the old (current) law, if you lost unencrypted data, you had to carry out notification. The new law seems to say that that’s still true, but if you have any reasonable encryption process, you have no duty to notify.