For businesses “doing business” in multiple states, the different and confounding state laws make responding to a data breach in an appropriate, timely and in a compliant fashion very difficult. This is compounded by the aftermath of a breach being filled with the uncertainty, concern and even panic that any emergency brings. Add to that the multiple competing interests in such a situation and the opportunity for a wrong decision with significant consequences is magnified many times over.
Tennessee recently added even more complexity to these complicated, confusing and outright contradictory state requirements. Effective July 1, 2016, the Tennessee definition of what constitutes a “breach of the security of the system” that triggers notice includes not only the loss of unencrypted data but encrypted data as well (if that data includes personally identifiable information of Tennesseans). Tennessee is the first state in the country to eliminate a safe harbor from data breach notice obligations where the breach involves encrypted data. All the other states with data breach notification statutes specifically provide this safe harbor from notice for encrypted data.
The Tennessee action is all the more amazing given that encryption of personal data is a data security best practice, particularly for data in transit and is the current state of the art. While encrypted data may conceivably be hackable (depending on the strength of the encryption), it nevertheless provides the best available protection. Encryption is routinely used by businesses and professional firms for protection of the confidentiality and privacy of clients and customers. Encrypted data is not, as the sponsor of the Tennessee amendments, Sen. Bill Ketron, argued “now being stolen almost as easily as unencrypted [data].” Far from it.
On its face, the Tennessee law still provides that a notice of a breach requires that the unauthorized access of data “materially compromise the security, confidentiality or integrity of personal information” and that notice is required where personal information is “reasonably believed to have been acquired”. In doing so, Tennessee’s law is consistent with that of some 41 other states all of whom provide a safe harbor for encrypted data. Under these “risk of harm analysis” statutes, its indeed possible to argue that where the data is encrypted, then there is no such material compromise and no reasonable belief that personal information has been acquired.
But in Tennessee at least, the burden of showing these criteria are met is now higher since losing encrypted data is no longer per se exempt from notice requirements
And an argument could be made—valid or not—that the amendment makes any consideration of encryption or non-encryption of the material irrelevant. Under this argument, the “material compromise” and “reasonably believed to have been acquired” language could only be met by showing something else entirely. Stated simply under this theory: encryption of data no longer eliminates the obligation to give notice of a breach in Tennessee. The literal language of the statute and the legislative history and comments of Sen. Ketron might support such a claim even if practicalities do not. So in Tennessee although data breach notification is expensive, can cause widespread panic, and can cause substantial reputational losses to a business, notice must be given even if the data is encrypted and simply can’t be accessed. Crazy.
Tennessee also amended the time in which notice must be given. Like most other states, Tennessee formally only required that notice be given without reasonable delay consistent with the needs of law enforcement. Tennessee, like Washington, also allowed additional time in order for the breached party to determine the scope of the breach and to restore the integrity of the system. This gave businesses some time to investigate, determine what had been lost and make sure the systems were secure and not subject to any additional breach.
As of July 1, notice must be given by at most 45 days, period. No longer does Tennessee grant any extension of time to investigate and restore; the only way the 45-day period can be extended is if law enforcement makes a request that notice be delayed. In fact, only eight other states even have a specific time period in which notice must be given. 5 states, Ohio, Rhode Island, Vermont, Washington and Wisconsin have a 45-day period. Washington of course provides an extension as noted above. Connecticut allow 90 days and Florida is the only state with a shorter period: 30 days.
And Tennessee is one of 15 states that specifically provide for a private cause of action where the data breach notification statutes are not complied with. (Query what damages there may be for a violation when the data is encrypted). Like most states, the Tennessee statute for example requires that the person suing have been “injured”; but such standing concepts have not precluded litigation in other well and not so well known data breach situations. What constitutes an injury in the data breach context has on occasion been stretched pretty far and been held to include threatened harm as well actual injury. See Remijas v. Neimon Marcus Groups LLC, 2015 WL 4394814 (7th Cir. 2015). Click here for a summary of the data breach standing litigation. See also Robins v. Spokeo Inc. pending before the U.S. Supreme Court and in which the issues before the Court is whether Article II standing is created by the violation of statutes containing financial penalties awardable to the affected party.
Without question, these changes create serious problems for those businesses doing business in Tennessee. Tennessee law like that of many other states applies to any entity that conducts business in the state, irrespective of where that holder may be based or headquartered, if that firm collects personal data of a state’s residents.
And on a more global basis the conflicting notice periods complicate any data breach response. With the elimination of the encryption safe harbor, the Tennessee amendments now make the law there arguably the most onerous in the nation.
What should businesses be doing?
There are legions of publicly available materials that provide information for business in preparing themselves for what some say is the inevitable data breach. See for example:
Security Breach Response Plan Toolkit
Introduction to Data Security Breach Preparedness with Model Data Security Breach Preparedness Guide by Christopher Wolf
But the changes in Tennessee law are instructive how rapidly things change in this field. Correspondingly, this rapid change requires the constant review and update of data response plans and related information and materials. The new Tennessee changes, for example, may affect several issues and requirements. Incident responses plans may be substantial affected and rendered in whole or in part obsolete. Likewise, vendor contracts often contain notice provisions that may create conflicting requirements with the new law. Cyber insurance policies also could contain various inconsistent requirements and may not even cover breaches that involve encrypted data.
Businesses should have a way of determining whether a change in any state in which they do business has occurred. Most privacy professionals and legal counsel can provide this information on an ongoing basis. At the very least, businesses should review on an ongoing basis their incident response plans in light of any changes in state requirements. Also businesses should review such things as what service providers may have personal information relating to residents in states where a legal change occurs and what their contracts with them say. Plus, insurance policies should be re-reviewed. And data protection policies, levels of encryption and how a business might meet the “no material compromise” and “no reasonable belief that information has been acquired” safe harbors should be thought through.
And the time to do these kinds of reviews and due diligence now more than is before a breach occurs not after.