Here are some perspectives by law firms.
From SheppardMullin:
Tennessee has joined a handful of other states to provide certain safe harbors in the cybersecurity realm. Unlike others, the law sites beside -but does not modify- the states’ data breach notification law. Also unlike others, the safe harbor is very narrowly tailored, and is not triggered by having a data security program.
Under the new law, companies are not liable in class action suits that arise from a “cybersecurity event.” The term is defined similarly to that used by the SEC when describing public entities 8K filing obligations. Namely, an event that arises from unauthorized access or misuse of either an “information system” or “non-public” information stored on that system.
From Winston & Strawn:
On May 22, 2024, Tennessee joined Florida and West Virginia in enacting legislation that provides a legal safe harbor for companies that have experienced a cyberattack. The law is designed to shield private entities from class action lawsuits stemming from a cybersecurity event unless the event was caused by willful, wanton, or gross negligence.
Broadly speaking, the legislation will make it more difficult for plaintiffs to sue Tennessee companies for data exposure. This is unwelcome news for class action plaintiffs’ law firms in Tennessee, as they can no longer premise a lawsuit suit against companies that were cyberattacked on mere allegations that the companies were negligent in protecting consumer data. The bar to allege an actionable claim is now considerably higher.
From Ritter Gallagher
Data breach class actions have exploded in recent years. Change Healthcare suffered a ransomware attack in February 2024, and by April was mounting its defense against dozens of class action lawsuits. Similarly, Ascension St. Thomas was first impacted by ransomware on May 8, 2024. An Ascension patient filed a class action lawsuit only sixteen days later. In the 44-page complaint, the Plaintiff alleges that the breach was the result of Ascension’s negligence (i.e., a failure to use reasonable security measures to protect patients’ personal information).
HB 2434’s requirement that gross negligence be present for a private entity to be subject to a class action lawsuit is legally significant. Under Tennessee’s common law, there is a clear difference between negligence and gross negligence. The latter requires evidence of a defendant’s subjective mental state, also referred to as willful or wanton misconduct. [3]
The question that naturally follows is: what are the negligence thresholds in the context of a security event? Take Change Healthcare’s admission that the root cause of the incident was the failure to implement multi-factor authentication on a remote access platform. Simply, and without detailing the basic elements of a negligence claim, to establish that Change Healthcare exhibited gross negligence, a class action plaintiff’s attorney would need to show that the company was aware of the absence of multi-factor authentication and disregarded the potential repercussions. While certainly not impossible, this is a far higher evidentiary bar to hurdle.