TN Data Security & Privacy Landscape

Tennessee Cybersecurity Data & Privacy legislations is evolving. Tennessee has been actively strengthening its legislative framework around data security, privacy, and cybersecurity. Businesses operating within the state or handling the personal information of Tennessee residents must be acutely aware of these regulations to ensure compliance and mitigate significant legal and financial risks.

Tennessee Information Protection Act (TIPA) – Effective July 1, 2025

The Tennessee Information Protection Act (TIPA) is a significant step towards comprehensive consumer data privacy in the state. Key provisions include:

• Applicability: Applies to businesses that conduct business in Tennessee or target Tennessee residents, with specific revenue and consumer data processing thresholds (e.g., over $25 million in annual revenue AND processing personal information of 175,000+ TN consumers, or 25,000+ TN consumers if deriving 50%+ gross revenue from data sales).
• Consumer Rights: Grants consumers rights to access, confirm processing, correct, delete, and obtain a copy of their personal information, as well as the right to opt-out of targeted advertising, sale of personal information, and certain profiling.
• Data Protection Assessments (DPAs): Requires DPAs for high-risk processing activities like targeted advertising, data sales, and profiling. (See Cyber Risk Assessment & Vulnerability Scan)
• Data Minimization & Security: Mandates that businesses limit data collection to what is necessary and maintain “reasonable administrative, technical, and physical data security practices.”
• Affirmative Defense: Uniquely, TIPA offers an affirmative defense against violations if a controller or processor creates, maintains, and complies with a written privacy program that “reasonably conforms” to the NIST Privacy Framework or other specified standards.
• Enforcement: Exclusively enforced by the Tennessee Attorney General, with potential civil penalties up to $7,500 per violation. No private right of action for consumers.

Tennessee Data Breach Notification Law (T.C.A. § 47-18-2107)

This law requires any individual, business, or governmental entity that owns, licenses, or maintains personal information of Tennessee residents to notify affected individuals in the event of a security breach. Key aspects include:

• Personal Information Definition: Includes first name or initial and last name combined with Social Security number, driver’s license number, or financial account number with access code.
• Notification Timing: “Immediately, but no later than 45 days” from discovery or notification of the breach, unless delayed by law enforcement.
• Notification Method: Written, electronic, or substitute notice (if certain conditions are met, such as cost exceeding $250,000 or affecting over 500,000 individuals).
• Consumer Reporting Agency Notice: If over 1,000 residents are notified, consumer reporting agencies must also be informed without unreasonable delay.
• Encryption Safe Harbor: Generally, notification is not required for encrypted data if the encryption key was not also acquired.

Tennessee Insurance Data Security Law (T.C.A. § 56-2-1001 et seq.)

Based on the NAIC Data Security Model Law, this legislation mandates that insurance licensees in Tennessee implement comprehensive information security programs. Requirements include:

• Conducting risk assessments.
• Implementing and maintaining security controls.
• Developing incident response plans.
• Overseeing third-party service providers.
• Reporting cybersecurity events to the Tennessee Insurance Commissioner.

Tennessee Cybersecurity Event Class Action Safe Harbor (Public Chapter 991)

Enacted in 2024, this law provides a legal safe harbor for private entities against class action lawsuits resulting from cybersecurity events, provided the event was not caused by “willful and wanton misconduct or gross negligence.” This raises the liability standard for plaintiffs in such cases.

Cyber Risk Definitions and Issues in Tennessee

Cyber risk is the potential for loss or harm due to a cyberattack or security incident. For Tennessee businesses, common issues that amplify these risks include:

• Inadequate Data Governance: Not knowing what data is collected, where it’s stored, or who has access.
• Insufficient Security Controls: Lack of strong encryption, multi-factor authentication, or robust intrusion detection systems.
• Employee Negligence: Human error, such as falling for phishing scams or mishandling sensitive data.
• Outdated Systems: Running legacy software or hardware with known vulnerabilities.
• Supply Chain Vulnerabilities: Weak security practices at third-party vendors or Nth-party suppliers.

Proactive risk assessment is crucial. For a deeper understanding of risk management, visit TEKRiSQ’s Risk Assessment page.

Examples of Cyber Exposures for Tennessee Organizations

Failure to comply with Tennessee’s cybersecurity and privacy laws can lead to specific cyber exposures:

• TIPA Violations: Processing sensitive personal information without consent, failing to honor consumer rights requests, or not conducting required Data Protection Assessments.
• Data Breach Penalties: Fines and legal action under the Data Breach Notification Law for delayed or improper notification.
• Insurance Licensee Sanctions: Penalties from the Department of Commerce and Insurance for non-compliance with the Insurance Data Security Law.
• Class Action Lawsuits: While the new safe harbor exists, gross negligence or willful misconduct can still lead to costly class action litigation following a cybersecurity event.
• Reputational Damage: Public loss of trust due to mishandling of personal information, impacting customer loyalty and business opportunities.

Vulnerability, TPRM & Nth Party Issues in Tennessee Compliance

Vulnerability Management:

Tennessee’s laws, particularly TIPA’s requirement for “reasonable administrative, technical, and physical data security practices,” implicitly demand robust vulnerability management. Organizations must continuously identify, assess, and remediate security flaws in their systems and applications to prevent unauthorized access and data breaches. Effective Vulnerability Management is foundational to meeting these security obligations.

Third-Party Risk Management (TPRM):

TIPA requires controllers to enter into written contracts with data processors that include data-handling safeguards. This directly impacts TPRM, as businesses must ensure their third-party vendors (cloud providers, software vendors, data analytics firms) adhere to the same security and privacy standards. A weak link in your third-party chain can lead to your own non-compliance and a breach. Strengthen your vendor oversight with TEKRiSQ’s TPRM solutions.

Nth Party Risk:

The interconnected nature of modern business means that a breach at a sub-processor (an Nth party) of your direct vendor can still expose Tennessee resident data. While not explicitly detailed in TN law, prudent risk management, especially for sensitive data, dictates understanding and managing risks throughout the entire supply chain. Proactive Nth Party Risk Management helps ensure that your extended ecosystem meets necessary security standards.

Staying Compliant in Tennessee

Given the evolving nature of cybersecurity threats and legal requirements, Tennessee businesses should:

• Conduct regular data inventories and mapping to understand what personal information they collect and where it resides.
• Implement and regularly review comprehensive information security programs aligned with frameworks like NIST.
• Provide ongoing employee training on data privacy and cybersecurity best practices.
• Develop and test robust incident response plans.
• Engage with legal and cybersecurity experts to ensure continuous compliance and adapt to new legislative changes.

For official legislative information, consult the Tennessee General Assembly website.