clear

Subscribe

Archives

2018
Jan Apr May Jul Aug

2017
Jan Feb Mar Apr May Jul Aug Sep Oct Nov Dec

2016
Sep Oct Nov Dec

2014
Apr

2013
Feb Jun Jul

2012
Jan Feb Aug Oct

2011
Jan Feb Mar Jun Jul Sep Oct Dec

2009
Mar Apr

clear
Thursday, 6 April 2017
TENNESSEE LEGISLATORS MUDDY WATERS AROUND PRIVACY BREACH NOTIFICATION REQUIREMENTS
Share
clear

The Tennessee legislature recently passed a modification to the state privacy breach notification requirements, § 47-18-2107.  The modification has been sent to the governor for signature.  Unfortunately, the modification just confuses the law’s requirements.

The existing code says that a breach notification is required if “unauthorized acquisition of unencrypted computerized data” takes place.  The breach also has to materially compromise the security, confidentiality, or integrity of personal information. This seems clear to me.

The new code says that notification is required when acquisition of computerized data that materially compromises the security, confidentiality, or integrity of personal information takes place.  The data does not have to be unencrypted.

However, subsections add an exception for encrypted data.  If the data breached is encrypted, breach notification is not triggered.  One encryption exception is for data encrypted in accordance with FIPS 140-2, a Federal Information Processing Standard.  I have never seen this used in private business.  The second exception is for information that has been made “unusable”.  On the face of it, this would seem to include any type of “encryption” processes, good or bad.  

So, in the old (current) law, if you lost unencrypted data, you had to carry out notification.  The new law seems to say that that’s still true, but if you have any reasonable encryption process, you have no duty to notify.

clear
Posted on 04/06/2017 11:20 AM by Fred Scholl
Comments
No comments yet.