Close X
Attorney Spotlight

How did Mike DeAgro's experience co-founding a nonprofit advocacy organization lead to a career in the legal field? Find out more>

Search

Close X

Experience

Search our Experience

Experience Spotlight

Envision to Sell to KKR for $9.9 Billion

We represented Envision Healthcare Corporation (NYSE: EVHC) in its definitive agreement to sell to KKR in an all-cash transaction for $9.9 billion, including debt. KKR will pay $46 per Envision share in cash to buy the company, marking a 32 percent premium to the company's volume-weighted average share price from November 1, when Envision announced it was considering its options. The transaction is expected to close the fourth quarter of 2018. Read more


Envision Healthcare

Close X

Thought Leadership

Enter your search terms in the relevant box(es) below to search for specific Thought Leadership.
To see a recent listing of Thought Leadership, click the blue Search button below.

Thought Leadership Spotlight

Six Things to Know Before Buying a Physician Practice spotlight

Dermatology, ophthalmology, radiology, urology…the list goes on. Yet, in any physician practice management transaction, there are six key considerations that apply and, if not carefully managed, can derail a transaction. Download the 6 Things to Know Before Buying a Physician Practice to keep your physician practice management transactions on track.

Click here to download the guide.

Governor Signs Amendment to Tennessee Data Breach Notification Law

Firm Publication

Publications

May 24, 2017

During the recent 110th Regular Session of the Tennessee General Assembly, Governor Bill Haslam signed into law an amendment to the Tennessee Identity Theft Deterrence Act of 1999.1

The previous version of the law required any person or business that conducts business in the state of Tennessee and that owns or licenses computerized personal information of Tennessee residents to notify such residents whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person. These persons or businesses were required to notify affected Tennessee residents within 45 days following discovery or notification of a breach, provided that a law enforcement agency may delay this notification requirement if it determines that notification would impede a criminal investigation.

This amendment, which unanimously passed both chambers of the Tennessee General Assembly:

  • Clarifies that notification to affected Tennessee residents of a data breach must be made within 45 days following a determination by the applicable law enforcement agency that notification will not compromise the investigation;
  • Adds exceptions to the definition of "personal information" for (i) information that has been redacted or otherwise made unusable, and (ii) encrypted information, provided that the encryption key for such information has not been acquired by an unauthorized person; and
  • Changes the definition of an "unauthorized person" from "an employee of the information holder who is discovered by the information holder to have obtained personal information and intentionally used it for an unlawful purpose" to "an employee of the information holder who is discovered by the information holder to have obtained personal information with the intent to use it for an unlawful purpose."

The exception of encrypted information from the definition of protected personal information is consistent with similar breach notification statutes in other states and is a welcome confirmation of the scope of the statute. However, the change to the definition of "unauthorized person", for example, raises new uncertainties not previously present.

The revised definition of "unauthorized person" appears to obligate employers to provide notification when an employee obtains personal information and intends to use it unlawfully, but has not yet done so. This raises the issue of whether the act of obtaining, but not using, the personal information could alone constitute a "material" compromise of the "security, confidentiality, or integrity of the personal information" and thereby trigger a breach notification obligation. If the latter is true, this change in the definition of "unauthorized person" may greatly expand required notifications under this law.

Bass, Berry & Sims will continue to monitor and provide updates as we track privacy legislation and regulations. If you have questions regarding the potential effects of this legislation or any other privacy concerns relating to your organization, please contact an attorney on our Privacy & Data Security team.


12017 Tenn. Pub. Acts 91.


Related Professionals

Related Services

Notice

Visiting, or interacting with, this website does not constitute an attorney-client relationship. Although we are always interested in hearing from visitors to our website, we cannot accept representation on a new matter from either existing clients or new clients until we know that we do not have a conflict of interest that would prevent us from doing so. Therefore, please do not send us any information about any new matter that may involve a potential legal representation until we have confirmed that a conflict of interest does not exist and we have expressly agreed in writing to the representation. Until there is such an agreement, we will not be deemed to have given you any advice, any information you send may not be deemed privileged and confidential, and we may be able to represent adverse parties.