Skip to main content


Click here to review text of state statute (see Tenn. Code, Title 47, §47-18-2107, et seq.)

Return to Index of States

Click here to download a print-version of the Mintz Matrix

Information Covered / Important Definitions

Information covered:

Personal information of Tennessee residents.

Important definitions:

"Encrypted” means computerized data that is rendered unusable, unreadable, or indecipherable without the use of a decryption process or key and in accordance with the current version of the Federal Information Processing Standard

(FIPS) 140-2.

“Security Breach” means unauthorized acquisition of unencrypted computerized data, or encrypted computerized data and the encryption key, by an unauthorized person that materially compromises the security, confidentiality, or integrity of personal information. 

“Unauthorized Person” includes an employee of a covered entity who is discovered to have obtained personal information and intentionally used it for an unlawful purpose.

Covered Entities* / Third Party Recipients

Subject to statute:

Any person or business that conducts business in Tennessee.

Third party recipients:

Any covered entity that maintains computerized data that includes personal information that the covered entity does not own must notify the owner or licensee of the information of any security breach immediately following discovery of the breach but no later than forty-five (45) days from when the breach became known to third party recipient.

Notice Procedures & Timing / Other Obligations

Written or electronic notice must be provided to victims of a security breach immediately but no later than forty-five (45) days following the discovery or notification to covered entity of a security breach, unless a law enforcement agency determines that notice will impede a criminal investigation (in which case notification is delayed until authorized by law enforcement but still must occur within forty-five (45) days after the law enforcement agency’s authorization).

  • If a delay in notification is prompted by law enforcement needs, notice to affected residents must occur no later than forty-five (45) days after law enforcement agency determines that notification will no longer compromise its investigation.
  • Substitute notice is available by means prescribed in the statute if costs to exceed $250,000, affected class exceeds 500,000 persons, or covered entity has insufficient contact information.
  • Notice only required if security breach materially compromises the security, confidentiality or integrity of personal information.

Other Obligations:

Any covered entity that must notify more than 1,000 persons at one time of a security breach is also required to notify without unreasonable delay consumer reporting agencies.

Encryption Safe Harbor / Other Exemptions

Encryption Safe Harbor:

Statute not applicable if the personal data that was lost, stolen, or accessed by an unauthorized person is fully encrypted.

Safe harbor not available if the encryption key is compromised together with the encrypted data.

Other exemptions:

Exemption for good faith acquisition of personal information by an employee or agent of a covered entity for the purposes of the covered entity so long as the personal information is not used or subject to further unauthorized disclosure.

A covered entity is deemed in compliance with the Tennessee statute if it maintains and complies with its own notification procedures as part of an information security policy and whose procedures are consistent with the timing requirements of the Tennessee statute.

A covered entity that is subject to GLBA or HIPAA is exempt from New Mexico’s statute.

Notification to Regulator / Waiver

A determination of no likelihood of harm: Does not require notification to attorney general.


Violations fall under the Tennessee Consumer Protection Act and constitute an unfair or deceptive act or practice affecting trade or commerce.

Private Cause of Action / Enforcement

Private Cause of Action: Yes.

Residents and business entities injured by a violation may institute a civil action to recover damages as well as injunctive relief.


Note: Please refer to individual state statutes for a complete list of covered entities as the list of legal and commercial entities described in this chart as “subject to statute” in most cases is not exhaustive.  Please also note that rules applicable to state agencies, government bodies and other public institutions are not discussed in this chart.

Click here to review text of state statute (see Tenn. Code, Title 47, §47-18-2107, et seq.)

Return to Index of States

Click here to download a print-version of the Mintz Matrix

Subscribe To Viewpoints