In a move that should alarm any company conducting business in Tennessee, the Tennessee legislature recently amended its data security statute and apparently eliminated the encryption safe harbor. The safe harbor, which exists in nearly every state in some form, rendered the security breach notification law inapplicable if the breached information was encrypted. In other words, a company doing business in Tennessee that owns or licenses personal information in electronic form would have been excused from complying with the onerous breach notification requirements if it had taken care to encrypt the information in its possession prior to the breach. Effective July 1, 2016, however, this risk mitigation strategy may no longer suffice to protect your company from liability in the event of a security breach.
Encryption still important
The apparent elimination of Tennessee’s encryption safe harbor should not, however, suggest that encryption is no longer worth the investment. As a practical matter, a company that does business in Tennessee and in other states will want to continue the use of encryption, as it will be able to take advantage of the encryption safe harbors in other states should a security breach occur there.
Additionally, even if a company’s business activities are confined to Tennessee, the amended statute keeps the “risk assessment” language that allows the company to assess whether the unauthorized acquisition of data (i.e., the breach) “materially compromises the security, confidentiality, or integrity of personal information.” If the unauthorized acquisition of personal information does not materially compromise the security, confidentiality, or integrity of the information, then no security breach has occurred within the meaning of the statute. Thus, if your company experiences a breach but all of the information acquired is subject to a strong encryption program, there may be a plausible argument that the information has not been materially compromised and that the statutory notification requirements are inapplicable.
Notwithstanding the apparent legislative intent to eliminate the encryption safe harbor, the amended statute arguably contains a remnant of the safe harbor (perhaps as the result of an oversight by the legislature). Although the legislature amended the statute to delete the word “unencrypted” from the definition of what constitutes a security breach, it did not amend the definition of “personal information.” Instead, “personal information” continues to be defined as an individual’s first name (or first initial) and last name combined with a Social Security number, driver’s license number, or financial account (or credit or debit card) number with a corresponding code/password – but only if the individual’s name or data elements are unencrypted.
Thus, under a literal reading of the amended statute, if the individual’s name and data elements are encrypted then there is no “personal information” in the first place. Given that a breach continues to be defined to apply only to “personal information,” the lack of personal information would mean the lack of a breach and therefore no obligation to comply with the notification requirements of the statute. Although this interpretation of the amended statute seemingly conflicts with the apparent intent to eliminate the encryption safe harbor, the argument would be worth asserting in the event of a security breach that affects only encrypted information. Ultimately, it will be up to the courts to resolve this apparent conflict within the amended statute.
Protection against negligence claims
There is yet another reason to maintain encryption programs notwithstanding the statutory amendment. Data security breaches inevitably lead to litigation and regulatory investigations, and aggrieved parties often assert negligence claims against those who failed to adequately protect their personal information. Information holders that utilize readily available encryption programs will have a much stronger defense to a negligence claim than will entities that choose to save the costs of encryption and leave personal information exposed. Moreover, it may be more difficult for a plaintiff to prove damages if the personal information is inaccessible due to a strong encryption program.
Further action steps
In addition to maintaining the strongest possible encryption measures, companies doing business in Tennessee should review their incident response plans to ensure that they are prepared to respond quickly to the unauthorized acquisition of encrypted data. The need to respond quickly is even more urgent than it was previously because the amended statute also shortens the time to respond to a security breach to 45 days from the date the breach is discovered.
Tennessee’s amended data security statute markedly increases the risk that a company will face in the event of a security breach because the use of encryption alone is no longer a surefire way to avoid reporting requirements and statutory liability. It will be very interesting to see if any other states follow Tennessee’s lead and remove the encryption safe harbor from their breach notification laws.