Quick Facts
Breach Based on Harm Threshold: No
Deadline for Consumer Notice: No later than 45 days
Government Notification Required: No
Scope of this Summary:
Notification requirements applicable to persons or businesses that conduct business in the state that own, license, or maintain covered info. Some types of businesses may be exempt from some or all of these requirements, and non-commercial entities may be subject to different requirements.
Risk of Harm Threshold
Notification is required only if the unauthorized acquisition of computerized data materially compromises the security, confidentiality, or integrity of personal information the information holder maintains.
Breach Defined
Unauthorized acquisition that materially compromises the security, confidentiality, or integrity of the covered info, excluding certain good-faith acquisitions by employees or agents.
Encryption Safe Harbor
The unauthorized acquisition of encrypted nonpublic information is not considered a cybersecurity event if the encryption, process, or key is not also acquired, released, or used without authorization.
Form of Covered Info
Electronic Only
Covered Information
An individual's first name or first initial and last name, in combination with any one or more of the following data elements:
- Social security number.
- Driver's license number.
- Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.
Consumer Notice Timing
Must be made no later than 45 days after discovery or notification of the breach.
Consumer Notice Method
By written notice or electronic notice (if consistent with E-SIGN or the primary method of communication with the resident). Substitute notice is available if certain criteria are satisfied.
Consumer Notice Content
Tennessee does not have specific content requirements for the notice to affected individuals.
Delayed Notice
Notification may be delayed if law enforcement determines notice will impede a criminal investigation. If notification is delayed, it must be made no later than 45 days after law enforcement determines that notification will not compromise the investigation.
Government Notice
The Tennessee statute does not require notice to any government or regulatory agencies.
Consumer Reporting Agency Notice
If more than 1,000 residents are notified, must notify, without unreasonable delay, all nationwide Consumer Reporting Agencies of timing, distribution, and content of the consumer notice.
Exceptions for other laws
Information holders subject to either the Gramm-Leach-Bliley Act (GLBA) or the Health Information Portability and Accountability Act (HIPAA) are exempt from the statute.
Third-Party Notice
If you maintain covered info on behalf of another entity, you must notify it no later than 45 days following discovery of a breach.
Private Right of Action
Under the Tennessee general breach notification statute, a Tennessee person or business entity who is a customer of an information holder and is injured by a violation of the statute may institute a civil action to recover damages and enjoin the information holder from further action in violation of the statute.
Potential Penalties
Violations may result in civil penalties.
This summary is for informational purposes only. It provides general information and not legal advice or opinions regarding specific facts. Additional requirements or conditions may apply to any or all provisions referenced herein. For more information about the state data breach notification laws or other data security matters, please seek the advice of counsel.
Last revised on June 15, 2023