| 4 | 3 | | |
|---|
| 5 | 4 | | HOUSE BILL 1033 |
|---|
| 6 | 5 | | By Dixie |
|---|
| 7 | 6 | | |
|---|
| 8 | 7 | | |
|---|
| 9 | 8 | | HB1033 |
|---|
| 10 | 9 | | 000603 |
|---|
| 11 | 10 | | - 1 - |
|---|
| 12 | 11 | | |
|---|
| 13 | 12 | | AN ACT to amend Tennessee Code Annotated, Title 20; |
|---|
| 14 | 13 | | Title 29 and Title 47, Chapter 18, relative to data |
|---|
| 15 | 14 | | security. |
|---|
| 16 | 15 | | |
|---|
| 17 | 16 | | BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF TENNESSEE: |
|---|
| 18 | 17 | | SECTION 1. Tennessee Code Annotated, Title 47, Chapter 18, is amended by adding |
|---|
| 19 | 18 | | the following as a new part: |
|---|
| 20 | 19 | | 47-18-3501. |
|---|
| 21 | 20 | | As used in this part: |
|---|
| 22 | 21 | | (1) "Business" means a limited liability company, limited liability |
|---|
| 23 | 22 | | partnership, corporation, sole proprietorship, association, or other group, |
|---|
| 24 | 23 | | however organized, and operating for profit or not for profit; |
|---|
| 25 | 24 | | (2) "Covered entity" means a business that accesses, receives, stores, |
|---|
| 26 | 25 | | maintains, communicates, or processes personal information, personal health |
|---|
| 27 | 26 | | information, or restricted information in or through one (1) or more systems, |
|---|
| 28 | 27 | | networks, or services located in or outside of this state; |
|---|
| 29 | 28 | | (3) "Data breach": |
|---|
| 30 | 29 | | (A) Means an intentional or unintentional act that has the potential |
|---|
| 31 | 30 | | to result in electronic information owned, licensed to, or otherwise |
|---|
| 32 | 31 | | protected by a covered entity being viewed, copied, modified, transmitted, |
|---|
| 33 | 32 | | or destroyed in a manner that is reasonably believed to cause or have the |
|---|
| 34 | 33 | | potential to cause material risk of fraud, identity theft, or other injuries or |
|---|
| 35 | 34 | | damage to person or property; and |
|---|
| 36 | 35 | | (B) Does not include: |
|---|
| 37 | 36 | | |
|---|
| 38 | 37 | | |
|---|
| 39 | 38 | | - 2 - 000603 |
|---|
| 40 | 39 | | |
|---|
| 41 | 40 | | (i) Disclosure of personal information, personal health |
|---|
| 42 | 41 | | information, or restricted information pursuant to a search warrant, |
|---|
| 43 | 42 | | subpoena, or other court order, or pursuant to a subpoena, order, |
|---|
| 44 | 43 | | or duty of a regulatory agency; and |
|---|
| 45 | 44 | | (ii) Good faith transmission of personal information, |
|---|
| 46 | 45 | | personal health information, or restricted information by the |
|---|
| 47 | 46 | | covered entity's employee or business associate, or an agent on |
|---|
| 48 | 47 | | behalf of the covered entity; provided, that the personal |
|---|
| 49 | 48 | | information, personal health information, or restricted information |
|---|
| 50 | 49 | | is not used for an unlawful purpose or subject to further |
|---|
| 51 | 50 | | unauthorized disclosure; |
|---|
| 52 | 51 | | (4) "Encrypted" means the use of an algorithmic process to transform |
|---|
| 53 | 52 | | data into a form for which there is a low probability of assigning meaning without |
|---|
| 54 | 53 | | the use of a confidential process or key; |
|---|
| 55 | 54 | | (5) "Individual" means a natural person; |
|---|
| 56 | 55 | | (6) "Personal health information" means information in the medical record |
|---|
| 57 | 56 | | or designated record set that can be used to identify an individual and that was |
|---|
| 58 | 57 | | created, used, or disclosed in the course of providing a healthcare service, |
|---|
| 59 | 58 | | including diagnosis or treatment, and for which the standards, implementation |
|---|
| 60 | 59 | | specifications, and requirements for protecting electronic protected health |
|---|
| 61 | 60 | | information are described in 45 CFR 164, subpart C; |
|---|
| 62 | 61 | | (7) "Personal information": |
|---|
| 63 | 62 | | (A) Means information relating to an individual who can be |
|---|
| 64 | 63 | | identified, directly or indirectly, in particular by reference to an identifier |
|---|
| 65 | 64 | | such as a name, an identification number, social security number, driver's |
|---|
| 66 | 65 | | |
|---|
| 67 | 66 | | |
|---|
| 68 | 67 | | - 3 - 000603 |
|---|
| 69 | 68 | | |
|---|
| 70 | 69 | | license number or state identification card number, passport number, |
|---|
| 71 | 70 | | account number or credit or debit card number, location data, biometric |
|---|
| 72 | 71 | | data, an online identifier, or one (1) or more factors specific to physical, |
|---|
| 73 | 72 | | physiological, genetic, mental, economic, cultural, or social identity of |
|---|
| 74 | 73 | | such individual; and |
|---|
| 75 | 74 | | (B) Does not include personal health information or restricted |
|---|
| 76 | 75 | | information; and |
|---|
| 77 | 76 | | (8) "Restricted information" means information that is sensitive about an |
|---|
| 78 | 77 | | individual, other than personal information or publicly available information, that |
|---|
| 79 | 78 | | alone or combined with other information can be used to distinguish or trace an |
|---|
| 80 | 79 | | individual's identity or can be linked to an individual if the information is not |
|---|
| 81 | 80 | | encrypted, redacted, or altered by any method or technology in a manner that |
|---|
| 82 | 81 | | renders the information unreadable, and the breach of which is likely to result in a |
|---|
| 83 | 82 | | material risk of identity theft or other fraud to a person or property. |
|---|
| 84 | 83 | | 47-18-3502. |
|---|
| 85 | 84 | | (a) |
|---|
| 86 | 85 | | (1) A covered entity seeking an affirmative defense under this part shall |
|---|
| 87 | 86 | | create, maintain, and comply with a written cybersecurity program that contains |
|---|
| 88 | 87 | | administrative, technical, operational, and physical safeguards for the protection |
|---|
| 89 | 88 | | of both personal information, personal health information, and restricted |
|---|
| 90 | 89 | | information at the time of the breach. |
|---|
| 91 | 90 | | (2) The program must be designed to: |
|---|
| 92 | 91 | | (A) Protect against a breach of security; |
|---|
| 93 | 92 | | (B) Protect the security and integrity of personal information, |
|---|
| 94 | 93 | | personal health information, and restricted information; |
|---|
| 95 | 94 | | |
|---|
| 96 | 95 | | |
|---|
| 97 | 96 | | - 4 - 000603 |
|---|
| 98 | 97 | | |
|---|
| 99 | 98 | | (C) Protect against any anticipated threat to the security or |
|---|
| 100 | 99 | | integrity of personal information, personal health information, and |
|---|
| 101 | 100 | | restricted information; |
|---|
| 102 | 101 | | (D) Continually evaluate and mitigate any reasonably anticipated |
|---|
| 103 | 102 | | internal or external threats or hazards that could lead to a data breach, |
|---|
| 104 | 103 | | including conducting annual privacy and security risk assessments; and |
|---|
| 105 | 104 | | (E) Communicate to any affected parties the extent of any risk |
|---|
| 106 | 105 | | posed and actions the affected parties may take to reduce any damages |
|---|
| 107 | 106 | | if a data breach is known to have occurred. |
|---|
| 108 | 107 | | (3) The covered entity must have a chief information officer or security |
|---|
| 109 | 108 | | officer assigned to coordinate the program and take measures to train employees |
|---|
| 110 | 109 | | on the necessary safety practices and regulations. |
|---|
| 111 | 110 | | (b) A covered entity satisfies subsection (a) if the written cybersecurity program |
|---|
| 112 | 111 | | contains written protocols that reasonably conform to an industry-recognized |
|---|
| 113 | 112 | | cybersecurity framework at the time of the breach, as described in ยง 47-18-3503. |
|---|
| 114 | 113 | | (c) A covered entity that satisfies this section is entitled to an affirmative defense |
|---|
| 115 | 114 | | to any cause of action in tort brought under the laws of this state or in the courts of this |
|---|
| 116 | 115 | | state, even if the covered entity's agent breached the covered entity's data, when it is |
|---|
| 117 | 116 | | alleged that the failure to implement reasonable information security controls resulted in |
|---|
| 118 | 117 | | a data breach of personal information, personal health information, or restricted |
|---|
| 119 | 118 | | information. |
|---|
| 120 | 119 | | (d) A covered entity may not claim an affirmative defense under this section if |
|---|
| 121 | 120 | | the covered entity had actual notice of a threat or hazard to the security or integrity of the |
|---|
| 122 | 121 | | personal information, personal health information, or restricted information and did not |
|---|
| 123 | 122 | | act to mitigate the threat or potential hazard within a reasonable time in accordance with |
|---|
| 124 | 123 | | |
|---|
| 125 | 124 | | |
|---|
| 126 | 125 | | - 5 - 000603 |
|---|
| 127 | 126 | | |
|---|
| 128 | 127 | | the industry-recognized cybersecurity framework timeframe to make proper notifications |
|---|
| 129 | 128 | | to inform affected parties a breach has occurred. |
|---|
| 130 | 129 | | 47-18-3503. |
|---|
| 131 | 130 | | (a) A covered entity's cybersecurity program reasonably conforms to an industry- |
|---|
| 132 | 131 | | recognized cybersecurity framework for purposes of this part if, at the time of the breach: |
|---|
| 133 | 132 | | (1) The cybersecurity program reasonably conforms to the current |
|---|
| 134 | 133 | | version of one (1) or more of the following, subject to subsection (b): |
|---|
| 135 | 134 | | (A) The Framework for Improving Critical Infrastructure |
|---|
| 136 | 135 | | Cybersecurity developed by the national institute of standards and |
|---|
| 137 | 136 | | technology (NIST); |
|---|
| 138 | 137 | | (B) NIST Special Publication 800-171; |
|---|
| 139 | 138 | | (C) NIST Special Publications 800-53 and 800-53A; |
|---|
| 140 | 139 | | (D) The International Organization for Standardization and |
|---|
| 141 | 140 | | International Electrotechnical Commission's 27000 Family of Standards; |
|---|
| 142 | 141 | | (E) The Federal Risk and Authorization Management Program |
|---|
| 143 | 142 | | Security Assessment Framework; or |
|---|
| 144 | 143 | | (F) The Center for Internet Security's Critical Security Controls for |
|---|
| 145 | 144 | | Effective Cyber Defense; or |
|---|
| 146 | 145 | | (2) The covered entity is regulated by the state, the federal government, |
|---|
| 147 | 146 | | or both, or is otherwise subject to, and the cybersecurity program reasonably |
|---|
| 148 | 147 | | conforms to, the entirety of the current version of one (1) or more of the following |
|---|
| 149 | 148 | | at the time of the breach, subject to subsection (b): |
|---|
| 150 | 149 | | (A) The security requirements of the federal Health Insurance |
|---|
| 151 | 150 | | Portability and Accountability Act of 1996 (HIPAA), as set forth in 45 CFR |
|---|
| 152 | 151 | | part 164, subpart C; |
|---|
| 153 | 152 | | |
|---|
| 154 | 153 | | |
|---|
| 155 | 154 | | - 6 - 000603 |
|---|
| 156 | 155 | | |
|---|
| 157 | 156 | | (B) Title V of the Gramm-Leach-Bliley Act, Pub. L. No. 106-102, |
|---|
| 158 | 157 | | as amended; |
|---|
| 159 | 158 | | (C) The Federal Information Security Modernization Act of 2014, |
|---|
| 160 | 159 | | Pub. L. No. 113-283; |
|---|
| 161 | 160 | | (D) The Health Information Technology for Economic and Clinical |
|---|
| 162 | 161 | | Health (HITECH) Act, as set forth in 45 CFR part 164; or |
|---|
| 163 | 162 | | (E) Another applicable federal or state regulation; or |
|---|
| 164 | 163 | | (3) The cybersecurity framework reasonably complies with both the |
|---|
| 165 | 164 | | current version of the payment card industry data security standard and conforms |
|---|
| 166 | 165 | | to the current version of another applicable industry-recognized cybersecurity |
|---|
| 167 | 166 | | framework, subject to subsection (b). |
|---|
| 168 | 167 | | (b) If a new and final revision to a framework listed in subsection (a) is |
|---|
| 169 | 168 | | published, then a covered entity whose cybersecurity program reasonably conforms to |
|---|
| 170 | 169 | | such framework shall conform the elements of its cybersecurity program to the revised |
|---|
| 171 | 170 | | framework, or another applicable framework listed in subsection (a), within the timeframe |
|---|
| 172 | 171 | | provided, if any, in the relevant framework upon which the covered entity intends to rely |
|---|
| 173 | 172 | | to support its affirmative defense. In all cases, the covered entity must come into |
|---|
| 174 | 173 | | compliance with the new and final revision, or another framework listed in subsection (a) |
|---|
| 175 | 174 | | within the earlier of one (1) year after the publication date of the new and final revision or |
|---|
| 176 | 175 | | its stated compliance date, if any. |
|---|
| 177 | 176 | | 47-18-3504. |
|---|
| 178 | 177 | | This part does not create a private right or cause of action, including a class |
|---|
| 179 | 178 | | action, with respect to any act or practice regulated under this part. |
|---|
| 180 | 179 | | SECTION 2. This act takes effect July 1, 2025, the public welfare requiring it. |
|---|