Mandatory Timeframe for Breach Reporting and/or Consumer Notification
Within 45 Days
Laws related specifically to personal information
Breach Reporting & Consumer Notification
Protect Personal Information
Program for Protection/Security
Vendor Specific Obligations
Vendor Mandated Contracts
Requests for Information
Fines & Penalties
Violations of Breach and Notification Laws:
- Civil Action to recover damages
None to minimal
If notification is required to more than 1,000 persons, it must be reported, without unreasonable delay, to all consumer reporting agencies and credit bureaus that compile and maintain files on consumers on a nationwide basis.
Vendors should notify the data owner of any breach if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person, no later than 45 days from the discovery or notification of the breach.
Violations of Tennessee’s data disposal law may be punishable by a civil penalty in the amount of $500, up to $10,000, for each record containing a customer’s personal identifying information that is wrongfully disposed of or discarded.
Separate state laws exist relating to student data and health records.
If your breach affects residents in other states, you will need to notify those residents using that state’s rules.
Statutes and Laws
Tenn. Code § 47-18-2107 Release of personal consumer information
Tenn. Code § 47-18-2110 Protecting social security numbers from disclosure
Tenn. Code § 39-14-150 Identity theft victims’ rights