Tennessee looks to abolish the “encryption safe harbor” law that many data privacy lawyers believe creates unnecessary stress on businesses. The state just recently signed a revised version of the Tennessee Identity Theft Deterrence Act of 1999, which goes into effect July 1, 2016 and will enforce a 45 day limit to which a victim must be notified of a data breach. If the law goes into effect, Tennessee will have the strictest data breach law in the country, as very few states require notice within a defined period of time and none have abolished the encryption safe harbor. Senator Bill Ketron of Tennessee told the legislature that the law was necessary as “more and more of these breaches involve encrypted data because the cyber threat is growing more sophisticated.”
Stephen Embry of Frost Brown Todd believes that the new law will place an even greater burden on companies, as in an instance of hardware theft the company must now prove that no breach has or will happen, as opposed to other states where the law simply requires the company to show that the data is encrypted. Embry assures that the added burden is unnecessary because “encryption is the best protection we have.”
J. Matt San Ramon of Wyatt Tarrant & Combs adds that Tennessee is now “making a distinction” between strong and weak encryption that “is not being made in other states,” though “it wouldn’t surprise me to see other states following suit.”