Today I was listening to a webinar presentation by the California Attorney General’s Office on the Golden State’s annual data breach report and recommendations. In the Q&A follow-up, someone asked if California might join Tennessee in eliminating the legal safe harbor from data breach reporting if lost or stolen devices have encryption. Wait…what?
I didn't believe it at first. But I went and looked it up and sure enough an amendment to Tennessee’s data breach notification statute has eliminated a provision requiring notice only in the event of a breach of unencrypted personal information. S.B. 2005 was signed by Gov. Bill Haslam on March 24, 2016, and will take effect on July 1, 2016.
As Jason Gavejian and James Mulroy of the law firm Jackson Lewis noted, “it appears that Tennessee is the first state in the country to require breach notification regardless of whether the affected information was encrypted.”
Other attorneys with expertise in healthcare privacy are weighing in. In a blog post Stephen Embry of Frost Brown Todd LLC said the changes “could pose substantial burdens on businesses and professional organizations that do business in Tennessee and maintain personal information of Tennessee residents.”
Embry notes that encryption is a data security best practice, particularly for data in transit. “While encrypted data may conceivably be hackable (depending on the strength of the encryption), it nevertheless provides the best available protection. …Encrypted data is not, as the sponsor of the Tennessee amendments, Sen. Bill Ketron, argued ‘now being stolen almost as easily as unencrypted [data].’ Far from it.”
He also noted that data breach notification is expensive and can panic those whose data has been allegedly compromised. “It can create huge reputational losses to the business. Yet despite this, a literal reading of the Tennessee notice statute as now amended, requires notice even if the data is encrypted and simply can’t be accessed by the bad guys.”
Other commenters have noted that although there will no longer be a blanket exception for encryption in Tennessee, it can still be considered as part of an organization’s risk analysis to determine if notification is necessary.
In addition to the encryption change, Tennessee made a change about reporting timelines. The state formally only required that notice be given without reasonable delay consistent with the needs of law enforcement, and measures necessary to determine the scope of the breach and restore the integrity of the system. As Embry noted, this gave businesses some time to investigate, determine what had been lost and make sure the systems were secure and not subject to any additional breach.
But as of July 1, notice must be given by at most 45 days. Only five other states have a maximum time to give notice as short as 45 days.
So Tennessee health systems that deal with lost and stolen laptops and thumb drives won’t be able to rely on their encryption programs to protect them anymore. It will be interesting to see how this plays out and if any other state follows suit.