Mandatory Timeframe for Breach Reporting and/or Consumer Notification

Within 45 Days
Laws related specifically to personal information
  • Breach Reporting & Consumer Notification
  • Protect personal information
  • Written Program for Protection/Security
  • Third Party: Specific Obligations
  • Third Party: Mandated Contracts
  • Employee Training
  • Data Disposal/Destruction
  • Risk Assessment
  • Requests for Information
Fines & Penalties

Violations of Breach and Notification Laws
Civil Action to recover damages

Regulation Levels
  • Breach Reporting
  • Consumer Notifications
  • Third Party Management
  • Data Protection
  • None to minimal
  • Basic Requirements
  • Comprehensive Requirements
  • Extensive Requirements
Quick Facts
  • If notification is required to more than 1,000 persons, it must be reported, without unreasonable delay, to all consumer reporting agencies and credit bureaus that compile and maintain files on consumers on a nationwide basis.
  • Vendors should notify the data owner of any breach if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person, no later than 45 days from the discovery or notification of the breach.
  • Violations of Tennessee’s data disposal law may be punishable by a civil penalty in the amount of $500, up to $10,000, for each record containing a customer’s personal identifying information that is wrongfully disposed of or discarded.
  • Separate state laws exist relating to student data and health records.
  • If your breach affects residents in other states, you will need to notify those residents using that state’s rules.
Statutes and Laws
  • Tenn. Code § 47-18-2107 Release of personal consumer information (2005)
  • Tenn. Code § 47-18-2110 Protecting social security numbers from disclosure (2007)
  • Tenn. Code § 39-14-150 Identity theft victims’ rights (1999)
  • Tenn. Code §§ 49-1-701 – 49-1-708 Education/Data Accessibility, Transparency and Accountability Act
    (2014)
  • Tenn. Code §§ 68-11-301 – 68-11-312 Medical Records Act of 1974
BAck to map