You’ve Been Hacked

Tennessee Law Updates Your Obligations After a Data Breach

In J.R.R. Tolkien’s The Hobbit, the protagonist Bilbo Baggins pens a memoir recounting harrowing adventures with a team of unlikely allies. His journey culminates in the improbable defeat of the mighty dragon Smaug and the return to the comforts of his beloved home. More recently, the Tennessee General Assembly has undertaken to combat the dangers of cybercrime, traversing through a meandering array of amendments that could aptly share the title of Mr. Baggins’s memoir, There and Back Again.

Like the hobbit, this year’s amendments to Tennessee’s data breach notification law return it to where it began, albeit with a few improvements forged through experience, trial and error. This article chronicles the highlights of this legislative endeavor, focusing on the law’s evolution and key features, while offering some practical takeaways for responding to data breaches.

Background

In 2002, California became the first state in the country to pass a law requiring businesses and government agencies to notify their residents of data breaches.[1] Tennessee followed suit and enacted a data breach notification law in 2005, Tenn. Code Ann. § 47-18-2107, under the rubric of the Tennessee Identity Theft Deterrence Act of 1999. The threat of cybercrime has become even more pronounced and pervasive since then. As has been widely reported, recent data thefts have targeted some of the most well-known companies and institutions in the country, such as Anthem, the Democratic National Committee, the Office of Personnel Management, Trump Hotels, Verizon, and many others.[2] This fall, Equifax disclosed that hackers stole from it the social security numbers of 143 million Americans, and Yahoo recently announced that all 3 billion of its accounts were hacked in 2013.

In 2016, there were more than 4,000 data breaches exposing more than four billion records.[3] Complaints to the FBI reported losses of more than $1.3 billion in 2016, a 24-percent increase compared to 2015.[4] Data breaches are estimated to cost the global economy in excess of $2 trillion annually by 2020.[5] Cybercriminals hack social security numbers, credit card numbers, company trade secrets and other sensitive information. This information can be used to steal identities, to obtain tax rebates through fraudulent tax returns, to make unauthorized credit card charges, to steal funds electronically, to create mischief in political elections, and for other malevolent purposes.

Like the 47 other states now with data breach notification laws,[6] the Tennessee General Assembly has not ignored these alarming developments. In 2016, Tennessee amended its data breach law with some controversy and then retracted the crux of these modifications a year later, enacting the current amendments, effective April 4, 2017.

What Is a Data Breach?

The various iterations of Tennessee’s statute have defined what constitutes a data breach. The current statute defines a “breach of security system” as “the acquisition of the [following] information … by an unauthorized person that materially compromises the security, confidentiality, or integrity of personal information maintained by the information holder: (i) Unencrypted computerized data; or (ii) Encrypted computerized data and the encryption key….”[7]

The statute further defines many of the terms contained in the definition of “breach of security system.” The statute provides that “[p]ersonal information”

(A) Means an individual’s first name or first initial and last name, in combination with any one (1) or more of the following data elements: (i) Social security number; (ii) Driver license number; or (iii) Account, credit card, or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account; and

(B) Does not include information that is lawfully made available to the general public from federal, state, or local government records or information that has been redacted, or otherwise made unusable….”[8]

This definition is similar to those in the 2016 and pre-2016 definitions.[9]

An “information holder” is a “person or business that conducts business in this state, or any agency of this state or any of its political subdivisions, that owns or licenses computerized personal information of residents of this state.”[10]

Based on a 2016 amendment, the statute’s operative language provides that an “unauthorized person” can include “an employee of the information holder who is discovered by the information holder to have obtained personal information with the intent to use it for an unlawful purpose.”[11] Thus, a rogue employee’s misappropriation of personal information may constitute a breach under the statute.

Under the current statute, “[e]ncrypted means computerized data that is rendered unusuable, unreadable, or indecipherable without the use of a decryption process or key and in accordance with the current version of the Federal Information Processing Standard (FIPS) 140-2.”[12] The U.S. Government’s National Institute of Standards and Technology (NIST) issued FIPS 140-2 to review and approve the security of cryptographic modules (i.e., technology and products used to encrypt data).[13] NIST maintains a list of validated modules, specifying the products by vendor name (e.g., Seagate Technology LLC) and Validation Certificate numbers with module names (e.g., 2886 — Seagate Secure® TCG Enterprise SSC Self-Encrypting Drive), and other information.[14] Consulting this list answers whether a particular encryption product complies with the Tennessee data breach statute.

The major change in the statute’s definition of data breach over the past decade relates to whether the theft of encrypted information could constitute a data breach. The original statute defined breach in terms of the “unauthorized acquisition of unencrypted computerized data.” In 2016, the General Assembly removed the adjective “unencrypted” from the definition of data breach, thereby becoming apparently the only state in the country to consider a breach to include encrypted data.[15] The rationale for this amendment was the belief that encrypted data is “now being stolen almost as easily as unencrypted [data].”[16]

This change proved quite controversial. One commentator remarked that he “didn’t believe it at first” and disagreed that unencrypted data is being stolen as easily as encrypted data[17] — as, indeed, what harm could there be if the information stolen is unusable, unreadable or indecipherable? Another was “flummoxed by this amendment,” lamenting that this “change apparently punishes those who have invested time and money into properly securing their data.”[18] A third expressed concern that the amendment “could pose substantial burdens” on companies doing business in Tennessee.[19] Adding confusion to this controversy was that the 2016 statute continued to define “personal information” in terms of information that is “not encrypted,” while inconsistently defining “breach of system security” as applying to even encrypted personal information. The 2017 statute resolves these issues by returning to the pre-2016 safe harbor that the unauthorized acquisition of encrypted information (without the decryption key) is not a data breach.

What Obligations Are Triggered by a Breach?

Under the 2017 statute, an information holder must generally disclose the breach to affected Tennessee residents within 45 days of discovery or notification of a breach of system security.[20] This time period marks a significant change from the earlier versions, which normally required disclosure “immediately, but no later than 45 days” (2016 version) or “in the most expedient time possible and without unreasonable delay” (pre-2016 version). This change ameliorates another controversy with the 2016 amendments — the prospect that a company would be forced to disclose the breach before it had sufficient time to investigate the circumstances of and remediate the breach. Moreover, similar to the earlier versions, the 2017 statute permits an information holder to delay disclosure if required by the legitimate needs of law enforcement. If the notification is so delayed, it must now be made within “forty-five days after the law enforcement agency determines that notification will not compromise the investigation.”[21]

The current statute addresses how an information holder is to disclose the breach. Similar to prior versions, under the operative statute, notice may be (1) written, (2) electronic under certain defined circumstances,[22] or (3) substitute if the cost of providing notice would exceed $250,000, more than 500,000 persons are affected, or the information holder does not have sufficient contact information and the notice contains the following: “(A) Email notice, when the information holder has an email address for the subject person; (B) Conspicuous posting of the notice on the information holder’s website, if the information holder maintains a website page; and (C) Notification to major statewide media.”[23] Unlike some other states, the Tennessee statute does not specify the content to include in the notice. For example, Massachusetts requires certain content in data breach notices:

The notice to be provided to the resident shall include, but not be limited to, the consumer’s right to obtain a police report, how a consumer requests a security freeze and the necessary information to be provided when requesting the security freeze, and any fees required to be paid to any of the consumer reporting agencies, provided however, that said notification shall not include the nature of the breach or unauthorized acquisition or use or the number of residents of the commonwealth affected by said breach or unauthorized access or use.[24]

The Tennessee statute further authorizes an information holder to follow its own notification procedures as part of its information security policy, rather than the provisions of the statute, if the policy is consistent with the timing requirements of the statute.[25]

If the incident requires notification of more than 1,000 persons at one time, “the information holder must also notify, without unreasonable delay, all consumer reporting agencies … and credit bureaus that compile and maintain files on consumers on a nationwide basis, of the timing, distribution, and content of the notices.”[26]

What Are the Ramifications of a Failure to Notify?

As with its predecessor versions, the statute provides a private right of action for customers injured by its violation to recover damages and injunctive relief, in addition to any other rights and remedies available under the law. There is a dearth of case law interpreting this statute. Other sections of Title 47, Chapter 18, Part 21, which includes the data breach notification statute, contain additional provisions regarding claims brought under Part 21. For example, Tenn. Code Ann. § 47-18-2106 provides that any violation of this part is a violation of the Tennessee Consumer Protection Act.[27] Another statute requires a party commencing a private action under this part to provide a copy of the complaint and initial pleadings to the Tennessee division of consumer affairs.[28] That statute further specifies a two-year statute of limitations, except when the defendant concealed the liability from the plaintiff.[29]

Exemptions Under HIPAA and the Gramm-Leach-Bliley Act

Without a uniform federal data breach notification statute, this country’s data breach notice laws comprise a patchwork of state and federal laws that vary by industry. Taking into account this reality, Tennessee’s data breach notification statute does not apply to any information holder that is subject to HIPAA, as expanded by the 2009 HITECH Act, or the Gramm-Leach-Bliley Act of 1999.[30] HIPAA applies to “covered entities,” which includes health care providers, health plans and health care clearinghouses.[31] Under the HITECH Act, HIPAA also applies to law firms and other entities if they are “business associates” performing services for a covered entity that involve the use or disclosure of protected health information.[32] The Gramm-Leach-Bliley Act applies to financial institutions, defined as any U.S. companies that are “significantly engaged in financial activities.”[33] Financial institutions include, among others, banks, investment advisory companies and mortgage lenders.[34]

The notification procedures under HIPAA and the Gramm-Leach-Bliley Act differ from the Tennessee statute. For instance, HIPAA’s requirements apply to “unsecured protected health information”[35] (rather than “personal information” under the Tennessee statute), specify content to include in the notification (unlike the Tennessee statute, which contains no such instructions),[36] and generally mandate notification “without unreasonable delay and in no case later than 60 calendar days after discovery of a breach” (unlike the 45-day period in the Tennessee statute).[37] Guidance for responding to a breach implicating the Gramm-Leach-Bliley Act appears in the Interagency Guidelines Establishing Information Security Standards, 12 C.F.R. Part 30, App. B. Among other things, these standards define the type of information that triggers a duty to notify (“sensitive customer information”),[38] state that financial institutions should notify customers “as soon as possible” if the institution determines that there is a reasonable possibility that their information will be misused, and specify the content that should be included in the notification.[39]

Notably, these are not the only laws and rules that could affect data breach notifications. For instance, the Federal Trade Commission’s (FTC) Health Breach Notification Rule applies to certain entities not covered by HIPAA possessing health information, such as “online services people use to keep track of their health information and online applications that interact with those services.”[40] This FTC rule preempts state laws within its scope that are contradictory or less restrictive.[41]

Conclusion and Takeaways

The General Assembly’s 2017 amendments mark a positive step forward in addressing the threats of cyber-theft and the challenges it poses to Tennessee residents and businesses. In particular, the amendments restore the encryption safe harbor and alleviate the risk that a company would need to disclose a breach before being able to investigate and remediate it.

Some practical guidance for responding to data breaches can be gleaned from the statute’s language and history. First, the 2017 amendments reaffirm the importance of companies establishing and implementing appropriate safeguards for securing sensitive information, such as by encrypting it, to protect against a data breach. For example, the theft of encrypted data (without a password) does not trigger the obligation to notify under the Tennessee statute.

As suggested in the Tennessee statute’s reference to the cost of notice exceeding $250,000, a data breach can be expensive, not even taking into account reputational damage. It is advisable to secure an appropriate cyber-insurance policy that covers the major costs associated with data breaches, such as notification, forensic investigation and restoration, business interruption, public relations, legal fees, extortion, losses from electronic theft of money, and fines and penalties.

In order to determine how to respond to a data breach, a company should assess what notification law governs the situation (e.g., HIPAA, the Tennessee data breach statute). Such a determination will affect, for example, the timeframe for providing the breach notification to customers and its content.

The information holder should also consider whom to notify of the breach, such as customers, law enforcement, credit bureaus, the media, insurers and contractual privies whose sensitive data the information holder maintains.

Of course, there are other considerations for responding to a breach, such as engaging computer forensic specialists to investigate and remediate the vulnerability of the computer system, if applicable.[42]

As in The Hobbit, advanced planning, a competent team and some good fortune can justify a business echoing the wizard Gandalf’s declaration “you shall not pass” to cybercriminals and, if a breach occurs, aspiring to return “back again” in remediating any harm to the company and its customers.

Notes

  1. Lothar Determann, “New California Data Security and Breach Notification Requirements,” Bloomberg BNA, Feb. 29, 2016, at https://www.bna.com/new-california-data-n57982067883/.
  2. See, e.g., Elizabeth Weise, “Top Hacks and Data Breaches,” USA Today, Dec. 14, 2016 at https://www.usatoday.com/story/tech/news/2016/12/14/biggest-data-breaches/ 95446624/.
  3. “4.2 Billion Records Exposed in Data Breaches in 2016: Report,” Security Week, Jan. 27, 2017, at http://www.securityweek.com/42-billion-records-exposed-data-breaches-2016-report.
  4. “2016 Internet Crime Report,” Federal Bureau of Investigation, at https://pdf.ic3.gov/2016_IC3Report.pdf.
  5. “Data Breach Costs Will Soar to $2T: Juniper,” Credit Union National Association News, May 15, 2015, at http://news.cuna.org/articles/105948-data-breach-costs-will-soar-to-2t-juniper.
  6. Security Breach Notification Laws, National Conference of State Legislatures, April 12, 2017, at http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx. Alabama and South Dakota are the only states without a data breach notification statute. See id.
  7. Tenn. Code Ann. § 47-18-2107(a)(1)(A) (2017). A data breach “[d]oes not include the good faith acquisition of personal information by an employee or agent of the information holder for the purposes of the information holder if the personal information is not used or subject to further unauthorized disclosure.” Tenn. Code Ann. § 47-18-2107(a)(1)(B) (2017).
  8. Tenn. Code Ann. § 47-18-2107(a)(4) (2017).
  9. Unlike the current statute, the earlier versions did not expressly exempt “information that has been redacted, or otherwise made unusable.” Id. Also, the prior versions defined “personal information” in terms of unencrypted information, a concept implied in the current definition and discussed later in this article.
  10. Tenn. Code Ann. § 47-18-2107(a)(3) (2017).
  11. Tenn. Code Ann. § 47-18-2107(a)(5) (2017).
  12. Tenn. Code Ann. § 47-18-2107(a)(2) (2017). Prior versions of Tennessee’s data breach notification law did not reference FIPS.
  13. Standards, NIST Computer Security Division, at http://csrc.nist.gov/groups/STM/cmvp/standards.html.
  14. FIPS 140-1 and FIPS 140-2 Vendor List, NIST, at http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401vend.htm.
  15. Sharon D. Nelson, “Tennessee’s New Breach Notification Statute Requires Disclosure of Encrypted Data,” Ride the Lightning, May 3, 2016, at http://ridethelightning.senseient.com/2016/05/tennessees-new-breach-notification-statute-requires-disclosure-of-encrypted-data.html.
  16. David Raths, “Is Encryption a Safe Harbor From Data Breach Reporting? Not in Tennessee,” Healthcare Informatics, May 4, 2016, at https://www.healthcare-informatics.com/blogs/david-raths/encryption-safe-harbor-data-breach-reporting-not-tennessee; see also Tenn. News Rel., S. Rep. (May 10, 2016) (“The law, however, does not affect encrypted information even though a growing number of breaches involve encrypted data as the methods used by criminals become more sophisticated.”).
  17. David Raths, “Is Encryption a Safe Harbor From Data Breach Reporting? Not in Tennessee,” Healthcare Informatics, May 4, 2016, at https://www.healthcare-informatics.com/blogs/david-raths/encryption-safe-harbor-data-breach-reporting-not-tennessee.
  18. Sharon D. Nelson, “Tennessee’s New Breach Notification Statute Requires Disclosure of Encrypted Data,” Ride the Lightning, May 3, 2016, at http://ridethelightning.senseient.com/2016/05/tennessees-new-breach-notification-statute-requires-disclosure-of-encrypted-data.html.
  19. Stephen E. Embry, “Law and Technology Disconnect: Tennessee Just Killed Encryption Safe Harbor,” Financial Services Blog, Apr. 11, 2016, at http://www.fbtbankingresource.com/law-and-technology-disconnect-tennessee-just-killed-encryption-safe-harbor.
  20. Tenn. Code Ann. § 47-18-2107(b) (2017). For breaches of personal information that the information holder does not own, the information holder must disclose the breach to the owner or licensee of the information in the same timeframe provided for breaches involving information owned by the information holder. Tenn. Code Ann. § 47-18-2107(c) (2017).
  21. Tenn. Code Ann. § 47-18-2107(d) (2017).
  22. Notice may be provided by “[e]lectronic notice, if the notice provided is consistent with the provisions regarding electronic records and signatures set forth in 15 U.S.C. § 7001 or if the information holder’s primary method of communication with the resident of this state has been by electronic means.” Tenn. Code Ann. § 47-18-2107(e)(2) (2017). The referenced federal statute is the Electronic Signatures in Global and National Commerce Act (the “E-Sign Act”). The E-Sign Act permits the use of electronic records to satisfy legal requirements for information to be provided in writing, if the consumer has affirmatively consented to and not withdrawn such use. FDIC Compliance Examination Manual § 10 (May 2017), at https://www.fdic.gov/regulations/compliance/manual/10/x-3.1.pdf.
  23. Tenn. Code Ann. § 47-18-2107(e) (2017).
  24. Mass. Gen. Laws ch. 93H, § 3(b) (2017).
  25. Tenn. Code Ann. § 47-18-2107(f) (2017).
  26. This provision references the federal Fair Credit Reporting Act (FCRA). Experian, Equifax and Trans Union are considered both consumer reporting agencies under FCRA and credit bureaus. See, e.g., Lewis v. Midland Credit Mgmt., No. CIV-15-1052-R, 2016 WL 4747414, at *1 (W.D. Okla. Sept. 12, 2016); Lett v. Midland Funding LLC, No. 2:13CV665-MHT, 2013 WL 6162674, at *3 (M.D. Ala. Nov. 22, 2013).
  27. Tenn. Code Ann. § 47-18-2106(a) (2017).
  28. Tenn. Code Ann. § 47-18-2104(a) (2017).
  29. Tenn. Code Ann. § 47-18-2104(c) (2017).
  30. Tenn. Code Ann. § 47-18-2017(i) (2017). Prior to the 2016 amendments, the Tennessee statute exempted the Gramm-Leach-Bliley Act, but not HIPAA.
  31. 45 C.F.R. § 160.03.
  32. Id.
  33. 15 U.S.C. § 6801; 16 C.F.R. § 313.3(k)(1).
  34. 15 U.S.C. § 6805(a); 16 C.F.R. § 313.3k(2).
  35. 45 C.F.R. § 164.404(a)(1). “Unsecured protected health information means protected health information that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary in the guidance issued under section 13402(h)(2) of Public Law 111-5.” 45 C.F.R. § 164.402. 45 C.F.R. § 160.103 in turn defines the term “protected health information,” in essence, as information that “[i]s created or received by a” covered entity and “[r]elates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and (i) [t]hat identifies the individual; or (ii) [w]ith respect to which there is a reasonable basis to believe the information can be used to identify the individual.”
  36. 45 C.F.R. § 164.404(c).
  37. 45 C.F.R. § 164.404(b).
  38. “[S]ensitive customer information means a customer’s name, address or telephone number, in conjunction with the customer’s social security number, driver’s license number, account number, credit or debit card number, or a personal identification number or password that would permit access to the customer’s account. Sensitive customer information also includes any combination of components of customer information that would allow someone to log onto or access the customer’s account, such as user name or password or password and account number.” 12 C.F.R. Part 30, App. B.
  39. Id.
  40. “Complying with the FTC’s Health Breach Notification Rule,” Federal Trade Commission, at https://www.ftc.gov/tips-advice/business-center/guidance/complying-ftcs-health-breach-notification-rule; 16 C.F.R. Part 318.
  41. Id.
  42. See, e.g., “Data Breach Response: A Guide for Business,” Federal Trade Commission, Sept. 2016, at https://www.ftc.gov/system/files/documents/plain-language/pdf-0154_data-breach-response-guide-for-business.pdf.

Russell Taber RUSSELL TABER is a business litigator at Riley Warnock & Jacobson PLC in Nashville. His practice includes information privacy and data breach law. He graduated from Vanderbilt Law School and holds a CIPP-US certification, a non-legal certification provided by the IAPP for information privacy professionals. He authored the book Electronic Discovery in Tennessee: Rules, Case Law and Distinctions, which has been used as a textbook at certain Tennessee law schools.

          | TBA Law Blog