Tennessee Data Breach Notification Laws: Reporting Rules & Timelines (2026)

Tennessee's data breach notification law is codified at Tenn. Code 47-18-2107 within the state's Identity Theft Deterrence Act (Part 21 of the Tennessee Consumer Protection Act). Originally enacted in 2005, the statute received significant amendments in 2016 and 2017 that added a firm 45-day notification deadline and technical encryption requirements.

If your business handles personal information belonging to Tennessee residents, a data breach triggers specific notification obligations. Tennessee stands out among states for granting a private right of action to injured consumers, allowing individuals to sue for both damages and injunctive relief.

This guide covers the full requirements under Tennessee law, including how they connect to the broader [Tennessee data privacy laws](/us-laws/data-privacy-laws/tennessee-data-privacy-laws) framework.

Who Must Comply

Tennessee's law applies to any "information holder," which includes any person or business that conducts business in Tennessee and owns or licenses computerized data that includes personal information of Tennessee residents. State agencies and political subdivisions are also covered.

The law also applies to third-party data maintainers. Any entity that maintains computerized data on behalf of another entity must notify the data owner or licensee within 45 days of discovering a breach. The data owner then carries the obligation to notify affected consumers.

Federal Law Exemptions

Entities subject to the following federal frameworks are exempt from Tennessee's breach notification requirements, as long as they comply with the applicable federal notification procedures:

• Gramm-Leach-Bliley Act (GLBA) for financial institutions
• Health Insurance Portability and Accountability Act (HIPAA) for covered healthcare entities and their business associates

These entities must still comply with their federal breach notification obligations.

What Triggers Notification

Under Section 47-18-2107, a "breach of system security" means the unauthorized acquisition of computerized data that materially compromises the security, confidentiality, or integrity of personal information maintained by the information holder.

The key term is "materially compromises." Not every unauthorized access triggers notification. The breach must materially affect the security of the personal information, giving entities some latitude to assess whether a technical incident rises to the level of a reportable breach.

Good Faith Exception

A good faith acquisition of personal information by an employee or agent of the information holder is not a breach, provided the information is not used or subject to further unauthorized disclosure.

Encryption Safe Harbor

Tennessee provides an encryption safe harbor tied to a specific federal standard. Under the 2017 amendments (SB 547), data encrypted in accordance with the Federal Information Processing Standard (FIPS) 140-2 is protected from breach notification requirements, as long as the decryption process or key was not also acquired, released, or used without authorization during the breach.

This is a more specific standard than many states require. FIPS 140-2 is the federal government's standard for cryptographic modules, and it means businesses must use validated encryption methods rather than just any encryption algorithm.

Personal Information That Triggers the Law

Tennessee's definition of personal information is relatively narrow compared to states that have updated their laws in recent years. Under Section 47-18-2107, personal information means an individual's first name or first initial and last name, in combination with any one or more of the following data elements:

• Social Security number
• Driver's license number
• Account, credit card, or debit card number, in combination with any required security code, access code, or password that would permit access to the individual's financial account

What Tennessee's Law Does Not Cover

The definition does not extend to:

• Medical or health information
• Health insurance identification numbers
• Biometric data
• Passport numbers
• Email credentials (usernames with passwords)
• Taxpayer identification numbers (other than SSNs)

Personal information does not include information lawfully made available to the general public from federal, state, or local government records, or information that has been redacted or otherwise made unusable.

The 45-Day Notification Timeline

Under the 2017 amendments, notification must be made immediately, but no later than 45 days from the discovery or notification of the breach of system security. This replaced the previous "without unreasonable delay" standard with a firm deadline.

Law Enforcement Delay

Notification may be delayed if a law enforcement agency determines that notification will impede a criminal investigation. Once law enforcement determines that notification will no longer compromise the investigation, the information holder must provide notification within 45 days of that determination.

Third-Party Data Holders

When a third party that maintains data on behalf of another entity discovers a breach, the third party must notify the data owner or licensee within 45 days. The data owner then has its own 45-day window to notify affected consumers.

Who Must Be Notified

Affected Individuals

Every Tennessee resident whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person must receive notification.

Consumer Reporting Agencies (1,000+ Threshold)

When an information holder must notify more than 1,000 persons at one time, the holder must also notify, without unreasonable delay, all nationwide consumer reporting agencies (Equifax, Experian, and TransUnion) of the timing, distribution, and content of the consumer notices.

No Mandatory AG Notification

Tennessee's breach notification statute does not require direct notification to the Attorney General for private-sector breaches. This is unusual among states that have modernized their breach notification laws. The Tennessee Attorney General has enforcement authority under the Tennessee Consumer Protection Act but does not receive mandatory breach reports under Section 47-18-2107.

For state agencies, a separate provision (Tenn. Code 8-4-119) requires notification to the Comptroller of the Treasury within five working days of a confirmed or suspected breach.

Methods of Notification

Tennessee permits two primary notification methods:

• Written notice sent to the individual
• Electronic notice, if consistent with the federal E-SIGN Act (15 U.S.C. 7001) or if electronic communication is the entity's primary method of communication with the resident

Substitute Notice

Substitute notice is available when the cost exceeds $250,000, the affected class exceeds 500,000 persons, or the entity lacks sufficient contact information. Substitute notice requires all three of: email notice to available addresses, conspicuous posting on the entity's website, and notification to statewide media.

Penalties and Enforcement

Private Right of Action

Tennessee is one of the states that grants a private right of action for breach notification violations. Under Section 47-18-2107, any customer of an information holder (that is a person or business entity, not a state agency) who is injured by a violation may institute a civil action to:

• Recover damages resulting from the violation
• Obtain injunctive relief to enjoin the information holder from further violations

These rights are cumulative, meaning they exist in addition to any other rights and remedies available under law.

Class Action Limitation

Tennessee's Consumer Protection Act includes a restriction on class actions. No class action lawsuit may be brought to recover damages for an unfair or deceptive act or practice under the Consumer Protection Act, which may limit aggregate consumer litigation for breach notification failures.

Attorney General Enforcement

The Tennessee Attorney General has authority to enforce the breach notification law as part of the broader Tennessee Consumer Protection Act. The AG can pursue civil penalties, injunctive relief, and consumer restitution for violations.

The Tennessee Information Protection Act (TIPA)

Tennessee enacted the Tennessee Information Protection Act (TIPA) in 2023, with an effective date of July 1, 2025. TIPA is a comprehensive consumer privacy law that creates new obligations for data controllers, including requirements around data minimization, purpose limitation, and consumer rights.

TIPA does not replace the breach notification requirements of Section 47-18-2107. The two laws operate independently: TIPA governs how businesses collect and use personal information, while Section 47-18-2107 governs what happens when that information is breached.

More Tennessee Laws

• Tennessee Recording Laws
• Tennessee Recording Laws
• Tennessee Recording Laws
• Tennessee Data Privacy Laws
• Tennessee Recording Laws
• Tennessee Recording Laws
• Tennessee Recording Laws
• Tennessee Dog Bite Laws

Sources and References

This article draws from the following official sources:

• Tenn. Code 47-18-2107 (Release of Personal Consumer Information) - Full text of Tennessee's data breach notification statute
• Tennessee Attorney General: Consumer Laws - AG consumer protection guidance
• Tennessee Comptroller: Data Breach Online Submission - State agency breach reporting portal
• NIST FIPS 140-2 - Federal encryption standard referenced in Tennessee's safe harbor
• Tennessee Information Protection Act (TIPA) Guidance - AG guidance on Tennessee's comprehensive privacy law

This article provides general legal information about Tennessee data privacy laws and breach notification requirements. It is not legal advice, and it does not create an attorney-client relationship. Data breach response involves time-sensitive obligations. Consult a qualified attorney licensed in Tennessee for guidance specific to your situation.