Tennessee has joined a handful of other states to provide certain safe harbors in the cybersecurity realm. Unlike others, the law sites beside -but does not modify- the states’ data breach notification law. Also unlike others, the safe harbor is very narrowly tailored, and is not triggered by having a data security program.
Under the new law, companies are not liable in class action suits that arise from a “cybersecurity event.” The term is defined similarly to that used by the SEC when describing public entities 8K filing obligations. Namely, an event that arises from unauthorized access or misuse of either an “information system” or “non-public” information stored on that system.
Non-public information is defined to include elements like social security numbers, drivers’ license numbers, and financial account numbers, mirroring the state’s breach notice law. It also includes, though, “biometric records,” an element not found in the breach notice law.
There is an exception to this safe harbor. It does not apply if the event was caused by a company’s “willful and wanton misconduct or gross negligence.” Terms that are not defined under the act.
Putting It Into Practice: Given the carve out to this shield, and its limited jurisdiction (in Tennessee and not across the US), it is not clear if it will afford broad protections to companies. However, it may be the start of a trend that we might find in other states over the coming months.