Tennessee Disclosure of Data Security Breach
Tenn. Code Ann. § 47-18-2107
CITATION:
TN - Tennessee Code Annotated
Title 47 Commercial Instruments And Transactions
Chapter 18 Consumer Protection
Part 21 Identity Theft Deterrence
47-18-2104. Private rights of action.
47-18-2105. Civil penalties and remedies.
47-18-2106. Violation of Tennessee Consumer Protection Act.
47-18-2107. Release of personal consumer information.
47-18-2104. Private rights of action.
(a) Any party commencing a private action pursuant to this part must provide a copy of the complaint and all other initial pleadings to the attorney general and upon entry of any judgment, order or decree of the action, shall mail a copy of such judgment, order or decree to the attorney general within five (5) days of entry of the judgment, order or decree.
(b) A copy of any notice of appeal shall be served by the appellant upon the attorney general, who in the public interest may intervene.
(c) A private action to enforce any liability created under this part may be brought within two (2) years from the date the liability arises, except that where a defendant has concealed the liability to that person, under this part, the action may be brought within two (2) years after discovery by the person of the liability. No action brought by the attorney general shall be subject to the limitation of actions contained herein.
(d) In any private action commenced under this part, if the private party establishes that identity theft was engaged in willfully or knowingly, the court may award three (3) times the actual damages and may provide such other relief as it considers necessary and proper.
(e) The action may be brought in a court of competent jurisdiction in the county where the identity theft or unfair, deceptive or misleading act or practice took place, is taking place, or is about to take place, or in the county in which such person resides, has such person's principal place of business, conducts, transacts, or has transacted business, or, if the person cannot be found in any of the foregoing locations, in the county in which such person can be found.
(f) Without regard to any other remedy or relief to which a person is entitled, anyone affected by a violation of this part may bring an action to obtain a declaratory judgment that the act or practice violates this part and to enjoin the person who has violated, is violating, or who is otherwise likely to violate this part; provided, that such action shall not be filed once the attorney general has commenced a proceeding pursuant to this part or the Tennessee Consumer Protection Act.
(g) Upon a finding by the court that a provision of this part has been violated, the court may award to the person bringing such action reasonable attorneys' fees and costs.
History
Acts 1999, ch. 201, § 5; 2019, ch. 459, § 38.
47-18-2105. Civil penalties and remedies.
(a)
(1) Whenever the attorney general has reason to believe that a person has engaged in, is engaging in, or based upon information received from another law enforcement agency, is about to engage in any unlawful act or practice under this part and that proceedings would be in the public interest, the attorney general may bring an action in the name of the state against the person to restrain by temporary restraining order, temporary injunction, or permanent injunction the use of such act or practice. Additionally, the state may request an asset freeze or any other appropriate and necessary orders against such person.
(2) As part of any action brought pursuant to subdivision (a)(1), the attorney general shall certify that the division of consumer affairs complied with § 47-18-5002(2) unless the attorney general determines that the purposes of this part will be substantially impaired by delaying legal proceedings.
(b) The action may be brought in the chancery or circuit court in Davidson County or in a court of competent jurisdiction where the alleged violation of this part, identity theft, unfair, misleading or deceptive act or practice took place or is about to take place or in the county in which the person resides, has the person's principal place of business, conducts, transacts or has transacted business or, if the person cannot be found, in any of the locations listed in this subsection (b), in the county in which the person can be found.
(c) The courts are authorized to issue orders and injunctions to restrain and prevent violations of this part or issue any other necessary or appropriate relief or orders. Such orders and injunctions shall be issued without bond to the state of Tennessee.
(d) Notwithstanding any other law, a violation of this part shall be punishable by a civil penalty of whichever of the following is greater: ten thousand dollars ($10,000), five thousand dollars ($5,000) per day for each day that a person's identity has been assumed or ten (10) times the amount obtained or attempted to be obtained by the person using the identity theft. This civil penalty is supplemental, cumulative and in addition to any other penalties and relief available under the Tennessee Consumer Protection Act, or other laws, regulations or rules.
(e) In any successful action commenced under this part, any ascertainable loss that a person has incurred as a result of a violation of this part, including, but not limited to, the identity theft or misleading, deceptive or unfair practices used to engage in violations of this part shall be recovered as restitution for each such person. The person shall also be awarded statutory interest on that ascertainable loss.
(f) In any successful action commenced by the attorney general under this part, the court shall also order reimbursement to the attorney general of the reasonable attorneys' fees, costs and expenses of the investigation and prosecution under this part.
(g) No court costs, litigation costs, discretionary costs or attorneys' fees shall be taxed or awarded against the state in an action commenced under this part or under the Tennessee Consumer Protection Act.
(h) Any knowing or willful violation of the terms of an injunction or order issued pursuant to this part in an action commenced by the attorney general shall be punishable by a civil penalty of not more than five thousand dollars ($5,000) for each and every violation of the order recoverable by the state, in addition to any other appropriate relief, including, but not limited to, contempt sanctions and the awarding of attorneys' fees and costs to the state for any filings relating to violations of any order under this part.
(i) An order or judgment issued as a result of an action commenced by the attorney general shall in no way affect individual rights of action which may exist independent of the recovery of money or property received under such order or judgment. If a particular person receives restitution as a result of an action commenced by the attorney general, those funds shall act only as a set-off against any award of money received in the person's private right of action proceedings.
History
Acts 1999, ch. 201, § 6; 2007, ch. 170, §§ 7-9; 2019, ch. 459, §§ 39-41.
47-18-2106. Violation of Tennessee Consumer Protection Act.
(a) A violation of this part constitutes a violation of the Tennessee Consumer Protection Act.
(b) For the purpose of application of the Tennessee Consumer Protection Act, any violation of this part shall be construed to constitute an unfair or deceptive act or practice affecting trade or commerce and subject to the penalties and remedies as provided in that act, in addition to the penalties and remedies set forth in this part.
(c) If the attorney general has reason to believe that a person has violated this part, then the attorney general may institute a proceeding under this chapter.
History
Acts 1999, ch. 201, § 7; 2019, ch. 459, § 42.
47-18-2107. Release of personal consumer information.
(a) As used in this section:
(1) “Breach of system security”:
(A) Means the acquisition of the information set out in subdivision (a)(1)(A)(i) or (a)(1)(A)(ii) by an unauthorized person that materially compromises the security, confidentiality, or integrity of personal information maintained by the information holder:
(i) Unencrypted computerized data; or
(ii) Encrypted computerized data and the encryption key; and
(B) Does not include the good faith acquisition of personal information by an employee or agent of the information holder for the purposes of the information holder if the personal information is not used or subject to further unauthorized disclosure;
(2) “Encrypted” means computerized data that is rendered unusable, unreadable, or indecipherable without the use of a decryption process or key and in accordance with the current version of the Federal Information Processing Standard (FIPS) 140-2;
(3) “Information holder” means any person or business that conducts business in this state, or any agency of this state or any of its political subdivisions, that owns or licenses computerized personal information of residents of this state;
(4) “Personal information”:
(A) Means an individual's first name or first initial and last name, in combination with any one (1) or more of the following data elements:
(i) Social security number;
(ii) Driver license number; or
(iii) Account, credit card, or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account; and
(B) Does not include information that is lawfully made available to the general public from federal, state, or local government records or information that has been redacted, or otherwise made unusable; and
(5) “Unauthorized person” includes an employee of the information holder who is discovered by the information holder to have obtained personal information with the intent to use it for an unlawful purpose.
(b) Following discovery or notification of a breach of system security by an information holder, the information holder shall disclose the breach of system security to any resident of this state whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure must be made no later than forty-five (45) days from the discovery or notification of the breach of system security, unless a longer period of time is required due to the legitimate needs of law enforcement, as provided in subsection (d).
(c) Any information holder that maintains computerized data that includes personal information that the information holder does not own shall notify the owner or licensee of the information of any breach of system security if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure must be made no later than forty-five (45) days from the discovery or notification of the breach of system security, unless a longer period of time is required due to the legitimate needs of law enforcement, as provided in subsection (d).
(d) The notification required by this section may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation. If the notification is delayed, it must be made no later than forty-five (45) days after the law enforcement agency determines that notification will not compromise the investigation.
(e) For purposes of this section, notice may be provided by one (1) of the following methods:
(1) Written notice;
(2) Electronic notice, if the notice provided is consistent with the provisions regarding electronic records and signatures set forth in 15 U.S.C. § 7001 or if the information holder's primary method of communication with the resident of this state has been by electronic means; or
(3) Substitute notice, if the information holder demonstrates that the cost of providing notice would exceed two hundred fifty thousand dollars ($250,000), that the affected class of subject persons to be notified exceeds five hundred thousand (500,000) persons, or the information holder does not have sufficient contact information and the notice consists of all of the following:
(A) Email notice, when the information holder has an email address for the subject persons;
(B) Conspicuous posting of the notice on the information holder's website, if the information holder maintains a website page; and
(C) Notification to major statewide media.
(f) Notwithstanding subsection (e), if an information holder maintains its own notification procedures as part of an information security policy for the treatment of personal information and if the policy is otherwise consistent with the timing requirements of this section, the information holder is in compliance with the notification requirements of this section, as long as the information holder notifies subject persons in accordance with its policies in the event of a breach of system security.
(g) If an information holder discovers circumstances requiring notification pursuant to this section of more than one thousand (1,000) persons at one (1) time, the information holder must also notify, without unreasonable delay, all consumer reporting agencies, as defined by 15 U.S.C. § 1681a, and credit bureaus that compile and maintain files on consumers on a nationwide basis, of the timing, distribution, and content of the notices.
(h) Any customer of an information holder who is a person or business entity, but who is not an agency of this state or any political subdivision of this state, and who is injured by a violation of this section, may institute a civil action to recover damages and to enjoin the information holder from further action in violation of this section. The rights and remedies available under this section are cumulative to each other and to any other rights and remedies available under law.
(i) This section does not apply to any information holder that is subject to:
(1) Title V of the Gramm-Leach-Bliley Act of 1999 (Pub. L. No. 106-102); or
(2) The Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. § 1320d et seq.), as expanded by the Health Information Technology for Clinical and Economic Health Act (42 U.S.C. § 300jj et seq., and 42 U.S.C. § 17921 et seq.).
History
Acts 2005, ch. 473, § 1; 2016, ch. 692, §§ 1-4; 2017, ch. 91, § 1.
Disclosure of Data Security Breach (Tennessee Code Annotated Sec. 47-18-2107, added by Laws of 2005, Chapter 473, approved June 18, 2005, effective July 1, 2005.)
These materials were obtained directly from the State Legislative websites and are posted here for your review and reference only. No Claim to Original State Government Works. This may not be the most recent version. The State may have more current information. We make no guarantees or warranties about the accuracy or completeness of this information, or the information linked to. Please check the linked sources directly.