NASHVILLE — Cybersecurity legislation was passed by the State Senate on Wednesday tightening up Tennessee’s law regarding breach notification requirements to protect consumers.
The bill is sponsored by Senator Bill Ketron (R-Murfreesboro).
“With more and more personal information stored electronically, there is a growing need to protect personal information, funds and assets,” said Senator Ketron. “This bill moves Tennessee law forward in adapting to the ever-changing landscape of the cyber world and the threats that come as a result.”
Presently, Tennessee law requires a person, state agency, or business that owns or licenses computerized data that includes personal information to disclose any discovered breach of the security of the system to Tennessee residents whose unencrypted personal information may have been acquired by an unauthorized person. The law, however, does not affect encrypted information even though a growing number of breaches involve encrypted data as the methods used by criminals become more sophisticated. The time frame for this notification is also not specified under current law, simply saying it should be made in the most expedient time possible and without reasonable delay.
Senate Bill 2005 specifies that an unauthorized user includes employees of the information holder and that a breach of the security system includes the unauthorized acquisition of all computerized data, whether encrypted or unencrypted. It further requires that the notification requirement to disclose a breach be made immediately, but no later than 45 days from the discovery or notification of the breach or, in the event the disclosure is delayed due to the needs of law enforcement, no later than 45 days after the law enforcement agency determines that the disclosure will not compromise a criminal investigation.
According to the Credit Union National Association, it is estimated that the 2013 Target breach cost credit unions over $30 million and the 2014 Home Depot breach is estimated to have cost even more. These costs include notifying customers of the breach, reissuing credit and debit cards, closing and reopening member accounts, refunding fraudulent charges, stopping and blocking payments and increasing fraud monitoring.
The bill is set to be heard on final consideration in the House of Representatives on Monday night.