Tennessee
Privacy Laws
Overview
BREACH NOTIFICATION – Mandated Timeframe
Within 45 days
FINES & PENALTIES – Violations
Civil action to recover damages
Regulation Levels
-
Breach Reporting
-
Consumer Notification
-
Vendor Management
-
Vendor Contract Required
PRIVACY AND SECURITY LAWS
Laws related to personal information and privacy and security.
Breach Reporting
Required
Vendor Obligations
Required
Consumer Notification
Required
Vendor Contracts
Not Required
Vendor Notification
Required
Privacy Program
Required
QUICK FACTS
Tennessee Privacy Law Information
Organizations must have measures in place for the secure disposal of personal information in their possession.
If notification is required to more than 1,000 persons, it must be reported, without unreasonable delay, to all consumer reporting agencies and credit bureaus that compile and maintain files on consumers on a nationwide basis.
If any state residents are affected by a breach of security, the breached Organization must give notice to the affected individuals within 45 days of discovery of the breach. If a breach affects residents of other jurisdictions, those individuals must be notified abased on the breach notification laws of the jurisdiction where they reside.
Vendors must notify Organizations no later than 45 days after discovery of a breach of a suspected breach. The Organizations will be responsible to complete any required regulatory reporting and consumer notification.
Tennessee passed the Insurance Data Security Law, which includes requirements of insurance licensees to protect personal information and investigate and respond to data breaches. Effective, July 1, 2021, licensees must comply with the breach notification requirements, including Commissioner notification within 3 business days. Separate state laws exist relating to student data and health records.
Violations of Tennessee’s data disposal law may be punishable by a civil penalty in the amount of $500, up to $10,000, for each record containing a customer’s personal identifying information that is wrongfully disposed of or discarded. Any consumer injured due to an Organization’s violation of the breach notification requirements can bring a civil action to recover damages and prevent further violations.
Tennessee Statutes and Laws
Identity theft victims’ rights
Release of personal consumer information
Protecting social security numbers from disclosure
Education/Data Accessibility, Transparency and Accountability Act
EDUCATION/RELATIVE TO CYBERSECURITY – TEMPLATE MINIMUM REQUIREMENTS
Insurance Data Security Act
Short title
DISCLAIMER
The information provided is not legal guidance or recommendations and are for informational purposes only.