The Constangy Cyber Team understands the paramount importance of staying informed about the intricacies of data breach notification regulations. With our Cybersecurity & Data Privacy Desktop Reference and these interactive maps, we provide guidance to navigate these complexities. Our interactive maps offer you online access to our succinct summaries of the essential aspects of various consumer and regulatory notification obligations. Please contact us should you have any questions. We look forward to working with you should you have to navigate the consumer notification and/or regulatory reporting process.
Data Breach Notification Statute
Covered Entities: Any person or business that conducts business in Tennessee, or any agency of Tennessee or any of its political subdivisions, that owns or licenses computerized personal information of Tennessee residents.
Consumer Notification: Notification must be provided to any Tennessee resident whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person.
Regulatory Notification: N/A
Notification Timeline: Notification must be provided “no later than forty-five (45) days from the discovery or notification of the breach of system security …”
Data Format: Electronic.
Citations: Tenn. Code § 47-18-2107.
- Breach: Acquisition of unencrypted computerized data or encrypted computerized data along with the encryption key by an unauthorized person that “materially compromises the security, confidentiality, or integrity of personal information …”
- Personal Information (PI): An individual's first name / first initial and last name, in combination with any one or more of the following data elements:
- Social Security number;
- Driver license number; or
- Account, credit card, or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.
- Medical Information: N/A
- Health Insurance Information: N/A
- Encryption: Notification is not required where personal information was rendered unusable, unreadable, or indecipherable without the use of a decryption process or key.
- Good Faith: Notification is not required where the personal information was acquired in good faith by an employee or agent of the information holder for the purposes of the information holder, if the personal information is not used or subject to further unauthorized disclosure.
- Risk of Harm: N/A
- Law Enforcement Delay: Notification may be delayed if a law enforcement agency determines that notification will impede a criminal investigation. If the notification is delayed, it must be made no later than forty-five (45) days after the law enforcement agency determines that notification will not compromise the investigation.
- Timing: Notification must be provided no later than forty-five (45) days from the discovery or notification of the breach of system security, unless a longer period of time is required due to the legitimate needs of law enforcement.
- Format: N/A
- Content: N/A
- Method: Notification must be provided via written notice or electronic notice, if the notice provided is consistent with the provisions regarding electronic records and signatures set forth in 15 U.S.C. § 7001 or if the information holder's primary method of communication with the resident of this state has been by electronic means.
An entity may provide substitute notice, if the information holder demonstrates that (1) the cost of providing notice would exceed $250,000, (2) the affected class of subject persons to be notified exceeds 500,000, or (3) the information holder does not have sufficient contact information. Substitute notice must consist of all of the following:
- Email notice, when the information holder has an email address for the subject persons;
- Conspicuous posting of the notice on the information holder's website, if the information holder maintains a website page; and
- (C) Notification to major statewide media.
Credit Reporting Agencies Notice:
If notification must be provided to “more than one thousand (1,000) persons at one (1) time, the information holder must also notify, without unreasonable delay, all consumer reporting agencies …”
An information holder that maintains computerized data that includes personal information that the information holder does not own shall notify the owner or licensee of the information of any breach of system security if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person within forty-five (45) days.
This statute does not apply to any information holder that is subject to the Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. § 1320d et seq.), as expanded by the Health Information Technology for Clinical and Economic Health Act (42 U.S.C. § 300jj et seq., and 42 U.S.C. § 17921 et seq.).
Any customer of an information holder who is a person or business entity, but who is not an agency of this state or any political subdivision of this state, and who is injured by a violation of this section, may institute a civil action to recover damages and to enjoin the information holder from further action in violation of this section. The rights and remedies available under this section are cumulative to each other and to any other rights and remedies available under law.
Comprehensive Data Privacy Law
Tennessee Information Protection Act (TIPA)
Tennessee Code Annotated, §§ 47–18–3201 - 3213
Controllers that conduct business in Tennessee or produce or deliver commercial products or services intentionally targeted to Tennessee residents and that:
- Exceed twenty-five million dollars ($25,000,000) in revenue; and
- Control or process personal data of twenty-five thousand (25,000) or more consumers and derive more than fifty percent (50%) of gross revenue from personal information sales; or
- During a calendar year, control or process personal information of one hundred seventy-five thousand (175,000) consumers or more.
TIPA excludes from its scope certain entities, such as state and local government, financial institutions subject to Title V of the GLBA, insurance companies regulated under state law, entities subject to the privacy and security rule of HIPAA and HITECH, non-profits, and institutions of higher education. In addition the Act excludes from its scope certain types of information such as information protected by HIPAA, health records, patient identifying information, personal information processed for purpose of certain types of research, information regulated by Health Care Quality Improvement Act of 1986, by Patient Safety and Quality Improvement Act, by the Fair Credit Reporting Act, Drivers Privacy Protection Act, Family Educational Rights and Privacy Act, Farm Credit Act, as well as employment-related data.
Covered Entity Obligations:
- Limit the collection of Personal Information to that which is adequate, relevant, and reasonably necessary to the purpose for which the information is processed, as disclosed to consumer.
- Refrain from processing Personal Information for purposes that are beyond reasonably necessary and compatible with the purposes disclosed to the consumer unless the consumer’s consent has been obtained.
- Establish, implement, and maintain reasonable administrative, technical, and physical data security procedures and practices commensurate with the nature of the personal information so as to protect the confidentiality, integrity, and accessibility of Personal Information.
- Comply with data consumer requests in a timely and efficient manner.
- Not process Personal Information in violation of state and federal laws that prohibit discrimination against consumers and not discriminate against consumers who exercise such rights.
- Obtain consent for processing Sensitive Personal Information from consumers and comply with applicable regulations when processing Personal Information of a known child.
- Provide consumers with a reasonably accessible and clear privacy notice that describes the categories of Personal Information processed by the controller; the purpose for processing the personal information and whether such information is sold or shared and to whom; and how consumers may exercise their individual rights, including how a consumer may appeal a controller’s decision regarding a consumer’s request.
- Provide consumers with one or more secure and reliable means for them to submit a request to exercise their consumer rights, taking into account a consumer’s normal interactions and communication needs and a controller’s ability to authenticate the identity of the consumer.
- Establish binding contractual arrangements with processors and third parties clearly outlining their roles and responsibilities.
- Conduct and document a data protection assessment before conducting processing activities that present a heightened risk of consumer harm, such as for:
- Targeted advertising.
- Selling Personal Data.
- Profiling that presents a reasonably foreseeable risk of: unfair or deceptive treatment of or unlawful disparate impact on consumers; financial, physical, or reputational injury to consumers; a physical or other intrusion on consumers' solitude, seclusion, private affairs, or private concerns, if it would offend a reasonable person; or another substantial consumer injury.
- Processing sensitive data.
A Controller must respond without undue delay and within forty-five (45) days to verified consumer requests regarding the processing of Personal Information and Sensitive Personal Information, including consumers’:
- Right to know and access Personal Information;
- Right to correct inaccurate Personal Information;
- Right to request deletion of Personal Information;
- Right to obtain Personal Information in a format that is generally portable, readily usable, and transmittable;
- Right to opt out of Personal Information sales, targeting advertising, and profiling for decisions producing legal or other similarly significant effects concerning the consumer.
- Right to non-discrimination for exercising their consumer rights.
Additionally, a Controller shall establish a process for the consumer to appeal the Controller’s refusal to take action on a request. The appeal process must be made conspicuously available and at no cost to the consumer and similar to the process for submitting requests to initiate action. The Controller is required to take action within sixty (60) days of receipt of an appeal and inform the consumer in writing of action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions, as well as provide a mechanism for them to contact the Attorney General if the appeal is denied.
- Consumer: An individual who is a Tennessee resident acting only in a personal context; this definition does not include individuals acting as a job applicant or beneficiary of someone in an employment context.
- Controller: A natural or legal person that, alone or jointly with others, determines the purposes and means for processing Personal Information.
- Personal Information: Information linked to or reasonably linkable to an identified or identifiable individual. Personal Information excludes: de-identified or aggregate information and publicly available information (defined as information lawfully made available through federal, state, or local government records, and information that a Controller has a reasonable basis to believe the consumer has lawfully made available to the general public).
- Profiling: Any form of automated processing of Personal Information to evaluate, analyze, or predict personal aspects concerning an identified or identifiable individual’s economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.
- Sale of Personal Data: The exchange of Personal Information for valuable monetary consideration by the Controller to a third party. The sale excludes the following disclosures from this definition: (i) disclosure to a processor for processing on behalf of the Controller; (ii) disclosures to a third party to provide a product or service requested by the Consumer; (iii) disclosures to an affiliate of the Controller; (iv) disclosures made by a Consumer to the general public via mass media (v) a disclosure or transfer as an asset in a merger or other transaction in which the third party assumes control of all or part of the Controller’s assets.
- Sensitive Personal Data: Personal Data revealing: racial or ethnic origin, religious beliefs, mental/physical health condition or diagnosis, sexual orientation, or citizenship/citizenship status; genetic and biometric data; Personal Information collected from a known child and precise geolocation data.
- Targeted Advertising: Displaying to a consumer advertisement based on personal information obtained from consumer’s activities over time and across nonaffiliated websites or applications to predict their interests or preferences. Excludes: (i) advertisement based on activities within the Controllers websites; (ii) advertisement based on the context of consumers current search query or visit to a website/application; (iii) advertisement directed to the consumer in response to their request; or (iv) Personal Information Processed solely for measuring or reporting advertisement performance.
Violations of the TIPA constitute an unfair trade practice and may be enforced by the Attorney General and reporter, with a sixty (60) day cure period. The maximum civil penalty for violations is $7,500 per violation.
July 1, 2025
Insurance Data Security Statute
Covered Entities: Any entity licensed, authorized to operate, or registered, or required to be licensed, authorized, or registered pursuant to the insurance laws of Tennessee, not including a purchasing group or a risk retention group chartered and licensed in a state other than Tennessee or a licensee that is acting as an assuming insurer that is domiciled in another state or jurisdiction.
Security Standard: A licensee must develop, implement, and maintain a comprehensive written information security program based on the licensee’s risk assessment that contains administrative, technical, and physical safeguards for nonpublic information and the licensee’s information systems.
Consumer Notification: Following a determination that a cybersecurity event has occurred, and that the cybersecurity event has a reasonable likelihood of materially harming a consumer, a licensee shall notify consumers residing in this state whose nonpublic information has been acquired, or reasonably believed to have been acquired, by the cybersecurity event. The disclosure must be made no later than 45 days after the determination of the cybersecurity event, unless a longer period of time is required due to the legitimate needs of law enforcement.
Regulatory Notification: A licensee shall notify the Commissioner of Insurance as promptly as possible, but in no event later than 3 business days from a determination that a cybersecurity event involving nonpublic information that is in the possession of a licensee has occurred, when either of the criteria referenced below has been met.
Notification Timeline: As promptly as possible, no later than 3 business days from a determination that a cybersecurity event involving nonpublic information that is in the possession of a licensee has occurred.
Citations: T.C.A §§ 56-2-100 to 56-2-1011
- Consumer: An individual, including an applicant, policyholder, insured, beneficiary, claimant, or certificate holder, who is a resident of this state and whose nonpublic information is in a licensee's possession, custody, or control.
- Cybersecurity Event: An event resulting in unauthorized access to, disruption, or misuse of an information system or nonpublic information stored on an information system, except that a “cybersecurity event” does not include any of the following:
- The unauthorized acquisition of encrypted nonpublic information if the encryption process or key is not also acquired, released, or used without authorization.
- An event in which the licensee determines that the nonpublic information accessed by an unauthorized person has not been used or released and has been returned or destroyed.
- Licensee: Any entity licensed, authorized to operate, or registered, or required to be licensed, authorized, or registered under Tennessee insurance laws.
- Nonpublic Information: Information in the possession, custody, or control of a licensee that is not publicly available information and is any of the following:
- Business-related information of a licensee, in which the tampering with, unauthorized disclosure of, access to, or use of, would cause a material adverse impact to the business, operations, or security of the licensee;
- Information concerning a consumer that can be used to identify the consumer, in combination with the following data elements:
- Social Security number;
- Driver’s license number or nondriver identification card number;
- Financial account number or credit or debit card number;
- Security code, access code, or password that would permit access to a consumer’s financial account; or
- Biometric records.
- Information or data, except a person's age or sex, created by or derived from a healthcare provider or a consumer that relates to:
- The past, present, or future physical, mental, or behavioral health or health condition of a consumer or a member of a consumer's immediate family;
- The provision of health care to a consumer; or
- Payment for the provision of health care to a consumer;
A licensee shall notify the Commissioner of Insurance as promptly as possible, no later than 3 business days from a determination that a cybersecurity event involving nonpublic information has occurred, when either of the following criteria has been met:
- The licensee is domiciled in this state, in the case of an insurer, as defined in § 56-6-102, or this state is the licensee's home state, in the case of an insurance producer;
- The cybersecurity event has a reasonable likelihood of materially harming a consumer residing in this state or a material part of the licensee's normal operations; or
The licensee reasonably believes that the nonpublic information of 250 or more consumers residing in this state is involved in the cybersecurity event and that the cybersecurity event is:
- A cybersecurity event of which notice must be provided to a government body, self-regulatory agency, or other supervisory body pursuant to state or federal law; or
- A cybersecurity event with a reasonable likelihood of materially harming a consumer residing in this state or a material part of the licensee's normal operations.
When notifying the Commissioner of Insurance of a cybersecurity event, a licensee shall provide as much of the following information as possible:
- The date of the cybersecurity event;
- A description of how the nonpublic information was exposed, lost, stolen, or breached, including the specific roles and responsibilities of third-party service providers with respect to the nonpublic information, if any;
- How the cybersecurity event was discovered;
- Whether lost, stolen, or breached nonpublic information has been recovered and, if so, how recovery was accomplished;
- The identity of the source of the cybersecurity event;
- Whether the licensee has filed a police report or notified regulatory, governmental, or law enforcement agencies and, if so, when the notification was provided;
- A description of the specific types of nonpublic information or particular data elements acquired without authorization, which may include types of medical information, types of financial information, or types of information allowing for consumer identification;
- The period during which the licensee's information system was compromised by the cybersecurity event;
- The number of total consumers in this state affected by the cybersecurity event. The licensee shall provide its best estimate of this number of consumers in its initial report to the commissioner and update this estimate with each subsequent report to the commissioner pursuant to this subsection (b);
- The results of an internal review and whether the review identified whether automated controls or internal procedures were followed or adhered to;
- A description of the efforts to remediate the situation that permitted the cybersecurity event to occur;
- The name of a person who is both knowledgeable regarding the cybersecurity event and authorized to act on behalf of the licensee to serve as a representative of the licensee for contact from the commissioner; and
- A copy of the notice sent to affected consumers, if the notice is required under subsection C.
The licensee shall continually provide material updates or supplements to the information provided.
Third-Party Notice Requirements:
In the case of a cybersecurity event involving nonpublic information in the possession, custody, or control of a third-party service provider of a licensee that is an assuming insurer, the assuming insurer shall notify the affected ceding insurers and the commissioner of the licensee's state of domicile within 3 business days of the third-party service provider notifying the licensee of the cybersecurity event or the licensee otherwise gaining actual knowledge of the cybersecurity event, whichever is sooner.
Furthermore, if the ceding insurers that have a direct contractual relationship with affected consumers shall fulfill the consumer notification requirements required under this section.
The commissioner may seek penalties under § 56-2-305 for a violation of this part. Payment of a monetary penalty of not more than $1,000 for each violation, but not to exceed an aggregate penalty of $100,000, unless the insurer, person, or entity knowingly violates a statute, rule or order, in which case the penalty shall not be more than $25,000 for each violation, not to exceed an aggregate penalty of $250,000. This subdivision (a)(2) shall not apply where a statute or rule specifically provides for other civil penalties for the violation. For purposes of this subdivision (a)(2), each day of continued violation shall constitute a separate violation; and