If notification is required to more than 1,000 persons, it must be reported, without unreasonable delay, to all consumer reporting agencies and credit bureaus that compile and maintain files on consumers on a nationwide basis.

If any state residents are affected by a breach of security, the breached Organization must give notice to the affected individuals within 45 days of discovery of the breach. If a breach affects residents of other jurisdictions, those individuals must be notified abased on the breach notification laws of the jurisdiction where they reside.

Violations of Tennessee’s data disposal law may be punishable by a civil penalty in the amount of $500, up to $10,000, for each record containing a customer’s personal identifying information that is wrongfully disposed of or discarded. Any consumer injured due to an Organization’s violation of the breach notification requirements can bring a civil action to recover damages and prevent further violations.

Tennessee passed the Insurance Data Security Law, which includes requirements of insurance licensees to protect personal information and investigate and respond to data breaches. Effective, July 1, 2021, licensees must comply with the breach notification requirements, including Commissioner notification within 3 business days. Separate state laws exist relating to student data and health records.

Organizations must have measures in place for the secure disposal of personal information in their possession.

Vendors must notify Organizations no later than 45 days after discovery of a breach of a suspected breach. The Organizations will be responsible to complete any required regulatory reporting and consumer notification.