Jason C. Gavejian of Jackson Lewis writes:
On March 24, 2016, Tennessee’s breach notification statute was amended when Governor, Bill Hallam, signed into law S.B. 2005.
Under the amendment, notification of a data breach must now be provided to any affected Tennessee resident within 45-days after discovery of the breach (absent a delay request from law enforcement). Previously, and like the vast majority of states, Tennessee’s statute required disclosure of a breach to be made in the most expedient time possible and without unreasonable delay. Florida, like the Volunteer State, previously amended its breach notification statute to also require notification within a set time period.
Read more on Jackson Lewis Workplace Privacy, Data Management & Security Report.The amendment also removes the safe harbor for encrypted data.
Update/Correction: I’m not sure why Gavejian wrote 45 days for notification. The statute says 14 days:
SECTION 3. Tennessee Code Annotated, Section 47-18-2107, is further amended by
deleting subsections (b), (c), and (d) and substituting instead the following:
(b) Any information holder shall disclose any breach of the security of the system, following discovery or notification of the breach in the security of the data, to any resident of Tennessee whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure shall be made immediately, but no later than fourteen (14) days from the discovery or notification of the breach, unless a longer period of time is required due to the legitimate needs of law enforcement, as provided in subsection (d).
Update 2: Okay, it seems the bill was amended before it passed, so the 45 days is the outside limit for notification unless there are law enforcement needs.