§ 29-34-215 — Liability of private entities for cybersecurity events

Tennessee § 29-34-215

• Jurisdiction: Tennessee
• Title: 29

Text

(a) As used in this section: (1) "Cybersecurity event" means an event resulting in unauthorized access to, or disruption or misuse of, an information system or nonpublic information stored on an information system; (2) "Information system" has the same meaning as defined in § 56-2-1003 ; (3) "Nonpublic information" means information that is not publicly available and concerns a person that, because of a name, number, personal mark, or other identifier, can be used to identify that person, in combination with the following: (A) A social security number; (B) A driver license number or non-driver identification card number; (C) A financial account number or credit or debit card number; (D) A security code, access code, or password that would permit access to the person's financial accounts; or (E) Biometric records; (4) "Private entity" means a corporation, religious or charitable organization, association, partnership, limited liability company, limited liability partnership, or other private business entity, whether organized for-profit or not-for-profit; and (5) "Publicly available information" means information that is lawfully made available through federal, state, or local government records, or information that a business has a reasonable basis to believe is lawfully made available to the general public. (b) A private entity is not liable in a class action lawsuit resulting from a cybersecurity event unless the cybersecurity event was caused by willful and wanton misconduct or gross negligence on the part of the private entity.

Legislative History

Added by 2024 Tenn. Acts, ch. 991,s 1, eff. 5/21/2024.