Close X
Attorney Spotlight

How does Jordana Nelson's prior experience as a general counsel inform her work with firm clients? Read more>

Search

Close X

Experience

Search our Experience

Experience Spotlight

The M&A Advisor Winner 2017The M&A Advisor announced the winners of the 16th Annual M&A Advisor Awards on Monday, November 13 at the 2017 M&A Advisor Awards. Bass, Berry & Sims was named a winner in the two categories related to the following deals:

M&A Deal of the Year (from $1B-$5B) – Acquisition of CLARCOR Inc. by Parker Hannifin Corporation

Corporate/Strategic Deal of the Year (over $1B) – Acquisition of BNC Bancorp by Pinnacle Financial Partners

Close X

Thought Leadership

Enter your search terms in the relevant box(es) below to search for specific Thought Leadership.
To see a recent listing of Thought Leadership, click the blue Search button below.

Thought Leadership Spotlight

Regulation A+

It seems that lately there has been a noticeable uptick in Regulation A+ activity, including several recent Reg A+ securities offerings where the stock now successfully trades on national exchanges. In light of this activity, we have published a set of FAQs about Regulation A+ securities offerings to help companies better understand this "mini-IPO" offering process, as well as pros and cons compared to a traditional underwritten IPO.

Read now

Governor Signs Amendment to Tennessee Data Breach Notification Law

Firm Publication

Publications

May 24, 2017

During the recent 110th Regular Session of the Tennessee General Assembly, Governor Bill Haslam signed into law an amendment to the Tennessee Identity Theft Deterrence Act of 1999.1

The previous version of the law required any person or business that conducts business in the state of Tennessee and that owns or licenses computerized personal information of Tennessee residents to notify such residents whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person. These persons or businesses were required to notify affected Tennessee residents within 45 days following discovery or notification of a breach, provided that a law enforcement agency may delay this notification requirement if it determines that notification would impede a criminal investigation.

This amendment, which unanimously passed both chambers of the Tennessee General Assembly:

  • Clarifies that notification to affected Tennessee residents of a data breach must be made within 45 days following a determination by the applicable law enforcement agency that notification will not compromise the investigation;
  • Adds exceptions to the definition of "personal information" for (i) information that has been redacted or otherwise made unusable, and (ii) encrypted information, provided that the encryption key for such information has not been acquired by an unauthorized person; and
  • Changes the definition of an "unauthorized person" from "an employee of the information holder who is discovered by the information holder to have obtained personal information and intentionally used it for an unlawful purpose" to "an employee of the information holder who is discovered by the information holder to have obtained personal information with the intent to use it for an unlawful purpose."

The exception of encrypted information from the definition of protected personal information is consistent with similar breach notification statutes in other states and is a welcome confirmation of the scope of the statute. However, the change to the definition of "unauthorized person", for example, raises new uncertainties not previously present.

The revised definition of "unauthorized person" appears to obligate employers to provide notification when an employee obtains personal information and intends to use it unlawfully, but has not yet done so. This raises the issue of whether the act of obtaining, but not using, the personal information could alone constitute a "material" compromise of the "security, confidentiality, or integrity of the personal information" and thereby trigger a breach notification obligation. If the latter is true, this change in the definition of "unauthorized person" may greatly expand required notifications under this law.

Bass, Berry & Sims will continue to monitor and provide updates as we track privacy legislation and regulations. If you have questions regarding the potential effects of this legislation or any other privacy concerns relating to your organization, please contact an attorney on our Privacy & Data Security team.


12017 Tenn. Pub. Acts 91.


Related Professionals

Related Services

Notice

Visiting, or interacting with, this website does not constitute an attorney-client relationship. Although we are always interested in hearing from visitors to our website, we cannot accept representation on a new matter from either existing clients or new clients until we know that we do not have a conflict of interest that would prevent us from doing so. Therefore, please do not send us any information about any new matter that may involve a potential legal representation until we have confirmed that a conflict of interest does not exist and we have expressly agreed in writing to the representation. Until there is such an agreement, we will not be deemed to have given you any advice, any information you send may not be deemed privileged and confidential, and we may be able to represent adverse parties.