Mandatory Timeframe for Breach Reporting and/or Consumer Notification
Within 45 Days
Laws related specifically to personal information
Breach Reporting & Consumer Notification
Protect personal information
Written Program for Protection/Security
Third Party: Specific Obligations
Third Party: Mandated Contracts
Requests for Information
Fines & Penalties
Violations of Breach and Notification Laws
Civil Action to recover damages
Third Party Management
None to minimal
If notification is required to more than 1,000 persons, it must be reported, without unreasonable delay, to all consumer reporting agencies and credit bureaus that compile and maintain files on consumers on a nationwide basis.
Vendors should notify the data owner of any breach if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person, no later than 45 days from the discovery or notification of the breach.
Violations of Tennessee’s data disposal law may be punishable by a civil penalty in the amount of $500, up to $10,000, for each record containing a customer’s personal identifying information that is wrongfully disposed of or discarded.
Separate state laws exist relating to student data and health records.
If your breach affects residents in other states, you will need to notify those residents using that state’s rules.
Statutes and Laws
Tenn. Code § 47-18-2107 Release of personal consumer information (2005)
Tenn. Code § 47-18-2110 Protecting social security numbers from disclosure (2007)
Tenn. Code § 39-14-150 Identity theft victims’ rights (1999)