Tennessee Adds New Encryption And Timing Requirements To Its Data Breach Notification Law

On April 4, 2017, Tennessee Governor Bill Haslam signed into law an amendment to the state’s data breach notification law, making two substantive changes to the statute:

  1. Adding a technically specific safe harbor encryption provision; and
  2. Adding a 45 day window to complete breach notification, when required.

Overall Summary of Breach Notification Law

Tennessee’s data breach notification law applies to any person or business conducting business in Tennessee that owns or licenses computerized data that contains “personal information.” “Personal information” is defined under the statute as a person’s first name or initial and last name combined with:

  • Social security number;
  • Driver’s license number; or
  • Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.

“Personal information” does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records. Covered entities that are subject to Title V of the Gramm-Leach-Bliley Act of 1999 or the Health Insurance Portability and Accountability Act of 1996, as expanded by the Health Information Technology for Clinical and Economic Health Act, are exempt from the law.

The statute requires covered entities to disclose a “breach in the security of the system” to any resident of Tennessee whose personal information was, or is reasonably believed to have been, acquired by an “unauthorized person.”

New Encryption Requirements

Under the new law, the phrase “breach in the security of the system” has been amended to read “breach of system security,” and is defined to mean the acquisition of: (1) unencrypted computerized data; or (2) encrypted computerized data and the encryption key that contains personal information by an unauthorized person that materially compromises the security, confidentiality, or integrity of personal information maintained by the information holder. The new statute defines encrypted to mean “computerized data that is rendered unusable, unreadable, or indecipherable without the use of a decryption process or key and in accordance with the current version of the Federal Information Processing Standard (FIPS) 140-2[.]” FIPS 140 is a US government standard that defines minimum security requirements for cryptographic modules in products and systems, as set forth in Section 5131 of the Information Technology Management Reform Act of 1996. Therefore, under the new amendment, if the information acquired was encrypted pursuant to the FIPS 140-2 standards, and the encryption key was not compromised, notification is likely not required.

Notification Clarification

The new amendment also imposes a specific time frame for completing notification, when required. Disclosure now must be made no later than 45 days from the discovery or notification of the “breach of system security,” unless a longer period of time is required due to the legitimate needs of law enforcement. Specifically, notification may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation. This change makes Tennessee the eighth state to enact a statute that puts a specific time period on the notification requirement. The majority of states only require notification in the “most expedient time possible” or “without unreasonable delay.”


Cyber threat preparation and monitoring remains the first and best line of defense against data breaches. Dentons helps companies prepare for breach by formulating written incident response plans, conducting table-top exercises with key members of the incident response teams, and advising companies on compliance with data notification reporting requirements, such as the new requirements now applicable in Tennessee. Our team is ready to help you or your business navigate this complicated area of the law, and help with the growing need for encryption requirements.

Banks Face Challenge Of Integrating Cyber And Operational Risk

Banks are increasingly aware of the threats that can arise from cyber-related crimes and are continuing to strengthen their defenses against these threats. The resulting pace of change and innovation on both sides of the “conflict” continues to accelerate as the potential for gain and/or loss for the attacking entities and financial institutions only grows.

Newly published Accenture research on cybersecurity across the banking sector found that 78 percent of senior security executives from across the banking sector expressed confidence about their overall cybersecurity strategy. However, these executives may be overconfident; the survey also revealed that, among the thousands of phishing, malware and penetration attacks that financial services firms face each year, there were an average of 85 serious attempted cyber breaches. Of these, about one-third (36 percent) were successful – meaning at least some information was obtained through the breach. And, according to respondents, a majority (59%) of successful breaches go undetected for several months – demonstrating that the cybercrime industry has evolved from its early days of being “smash and grab” to a more sophisticated approach of getting inside in order to listen, learn and extend the criminal activity.

Dealing with threats of this magnitude continues to call for new and innovative approaches to cybersecurity. Typically, banks have tried to establish controls to manage cyber risk from the top down with a strong security perimeter. But in coping with the complexities of firewalls, malware and phishing alongside increasing use of social engineering approaches to infiltrate the institutions, banks are struggling to connect the technical aspects of cybersecurity with the broader concerns of operational risk – defined by the Basel Committee as “the risk of direct or indirect loss resulting from inadequate or failed internal processes, people and systems, or from external events.”

Any successful cyberattack has the opportunity to affect people, processes and technology throughout the organization. In the wake of an attack, banks need to get IT systems back up and running, but they also need to reassure customers and regulators, deploy effective back-up systems, and potentially, compensate losses. This calls for advance planning, cooperation and communication between operational, risk, infrastructure and cybersecurity teams. Proper planning is a critical component in the overall defense approach and needs to be prioritized on a risk basis. Being able to identify the valuable data assets in the environment – and then focusing on how to provide multiple layers of defense for this specific population – helps to enable the right strategy and focus the security related investment.

Another important factor for consideration is the ability to quickly quarantine an area which has been breached, to enable the broader systems and processes of the bank to continue operating while the affected areas are investigated, repaired and brought back on line. Incorporating the cyber risk strategy with an effective enterprise risk management (ERM) strategy can therefore help to limit the damage from a data loss event, distributed denial of service (DDoS) attack or other cyber incidents. Increasingly we do see cyber risk as a specific component of a comprehensive operational and ERM strategy, with formal review and oversight by the board and senior management.

Banks are continuing to step up both their investments in cybersecurity and their risk-based approach to protecting the institution. In addition to spending on technology and cyber expertise, they also are enhancing the governance framework to help foster accountability across heritage functional silos and create a more cohesive security-minded culture. By ensuring that the security program is supported by a more comprehensive risk and business strategy, organizations are able to develop a more complete “cyber response plan” that includes stakeholder communications and the protection and recovery of key assets. And the result is seen in banks decreasing their risk exposure while also improving the speed and effectiveness of their responses.

Cyber threats will continue to evolve, but banks that tie cybersecurity efforts to broader operational risks will be far more resilient in a challenging environment.


This article was written by Steve Culp from Forbes and was legally licensed through the NewsCred publisher network. Please direct all licensing questions to [email protected].

The post Banks Face Challenge Of Integrating Cyber And Operational Risk appeared first on McAfee Blogs.

Hajime Botnet Reaches 300,000 Hosts With No Malicious Functions

This is not the first IoT heavy botnet, Mirai takes that title, the interesting part is the Hajime botnet appears to be benign. So far no malicious functions have been detected in the codebase, other than the ability to replicate itself and block other malware, Hajime seems to have no DDoS or offensive mechanisms. Hajime […] The post Hajime...

Read the full post at darknet.org.uk

Punching holes in nomx, the world’s “most secure” communications protocol

Enlarge / Artist's impression of a nomx product under the scrutiny of security researchers. (credit: Aurich/ThinkStock/Nomx)

This article was originally published on Scott Helme's blog and is reprinted here with his permission.

I was recently invited to take part in some research by BBC Click, alongside Professor Alan Woodward, to analyze a device that had quite a lot of people all excited. With slick marketing, catchy tag lines and some pretty bold claims about its security, nomx claims to have cracked e-mail security once and for all. Down the rabbit hole we go!


You can find the official nomx site at nomx.com and right away you will see how secure this device is.

"Everything else is insecure."

Read 88 remaining paragraphs | Comments