We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.
The cookies that are categorised as "Necessary" are stored on your browser as they are essential for enabling the basic functionalities of the site. ...
Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.
Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.
Performance cookies are used to understand and analyse the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Advertisement cookies are used to provide visitors with customised advertisements based on the pages you visited previously and to analyse the effectiveness of the ad campaigns.
March 28, 2025
Tennessee Cyber & Data Security Laws, as well as Cybersecurity Data Breach Laws apply to businesses of different types, with various exemptions available. The two main sections discussed here cover the Insurance Data Security Law and the rules that govern a breach.
Tennessee passed an Insurance Data Security Law which took effect July 1, 2021. It is based upon the NAIC Data Security Model Law that is present in over 20 States.
The law modernized, defined and toughened existing security measures that Tennessee insurance carriers must take to protect consumer information. Under the law, insurance carriers must:
A licensee must notify the Insurance Commissioner of a cyber security event in accordance with Tennessee Code Annotated, Title 56, Chapter 2. To report a new cyber security event or update an existing cyber security event, licensees can select the following link
Each insurer domiciled in Tennessee who does not qualify for an exemption must annually, on or before April 15th, submit a written statement to the Commissioner of the Department of Commerce and Insurance certifying that the insurer is in compliance with the Insurance Data Security Law. The Compliance Certification form can be accessed here. Submit a Compliance Certification to Insurance.DataSecurity@tn.gov
A licensee or employees, agents, representatives, or designees of a licensee, may be exempted from the required compliance certification pursuant to the Insurance Data Security Law if they meet any of the following criteria:
In order to validate the exception qualification, a written Exemption Certification form must be completed and returned to the Insurance Division. Exemption Certification Form link. To Submit an Exemption Certification use Insurance.DataSecurity@tn.gov
If a licensee does not meet any of the exception criteria, they must complete a Compliance Certification form.
Tennessee Cyber & Data Security Laws include aData Breach Requirement
Tennessee Cyber & Data Security Laws include 2010 Tennessee Code Consumer Protection Act
In Tennessee, data breach notification laws require businesses that own, license, or maintain covered information to notify individuals whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person, within 45 days of the breach’s discovery. Tenn. Code § 47-18-2107
Notification requirements applicable to persons or businesses that conduct business in the state that own, license, or maintain covered info. Some types of businesses may be exempt from some or all of these requirements, and non-commercial entities may be subject to different requirements.
Notification is required only if the unauthorized acquisition of computerized data materially compromises the security, confidentiality, or integrity of personal information the information holder maintains.
Unauthorized acquisition that materially compromises the security, confidentiality, or integrity of the covered info, excluding certain good-faith acquisitions by employees or agents.
The unauthorized acquisition of encrypted nonpublic information is not considered a cybersecurity event if the encryption, process, or key is not also acquired, released, or used without authorization.
Electronic Only
An individual’s first name or first initial and last name, in combination with any one or more of the following data elements:
Must be made no later than 45 days after discovery or notification of the breach.
By written notice or electronic notice (if consistent with E-SIGN or the primary method of communication with the resident). Substitute notice is available if certain criteria are satisfied.
Tennessee does not have specific content requirements for the notice to affected individuals.
Notification may be delayed if law enforcement determines notice will impede a criminal investigation. If notification is delayed, it must be made no later than 45 days after law enforcement determines that notification will not compromise the investigation.
The Tennessee statute does not require notice to any government or regulatory agencies.
If more than 1,000 residents are notified, must notify, without unreasonable delay, all nationwide Consumer Reporting Agencies of timing, distribution, and content of the consumer notice.
Information holders subject to either the Gramm-Leach-Bliley Act (GLBA) or the Health Information Portability and Accountability Act (HIPAA) are exempt from the statute.
If you maintain covered info on behalf of another entity, you must notify it no later than 45 days following discovery of a breach.
Under the Tennessee general breach notification statute, a Tennessee person or business entity who is a customer of an information holder and is injured by a violation of the statute may institute a civil action to recover damages and enjoin the information holder from further action in violation of the statute.
Violations may result in civil penalties.
Tennessee Cyber & Data Security Laws include an Identity Theft Deterrence Act of 1999.
Any person or company conducting business in Tennessee must follow the state’s data breach laws, which require businesses to inform their customers when their data is compromised in a breach. If more than 1,000 Tennessee residents are affected by a breach, businesses will also have to report the breach to consumer reporting agencies.
| Name of Law / Statute | Tennessee Identity Theft Deterrence Act of 1999 |
| Definition of Protected Information | Combination of (1) name or other identifying info, PLUS (2) one or more of these “data” elements: SSN; driver’s license number; or account number, credit card number, debit card number if accompanied by PIN, password, or access codes. |
| Who Is Subject to Law? | “Information holders,” defined as any person or business conducting business in the state who licenses or owns PI |
| Notification of Consumers? | Yes |
| By what means? | Written or electronic; if >1,000 residents, must notify consumer reporting agencies |
| Substitute Notice Threshold? | If cost of notice >$250,000 or involves >500k residents |
| Notification of authorities / regulators required? | No |
| By what means? | N/A |
| Regulatory Fines | N/A |
| Credit monitoring requirement? | No |
| Private lawsuits allowed? | Yes |
| Private damages cap? | Actual damages (treble for willful violation) + costs, attorney fees |
| Regulatory actions allowed? | Yes |
| HIPAA Compliance exemption? | N/A |
| Other (e.g., timeframe) | Law does not apply if PI was encrypted |
| Link to complete law | Tennessee’s data breach law |
