Impact of Tennessee’s Safe Harbor Cybersecurity Class Action Litigation System | Sheppard Mullin Richter & Hampton LLP

Tennessee has joined a handful of other states in providing certain cybersecurity safe harbors. Unlike other states, the law follows but does not change state data breach notification laws. Also, unlike other states, the safe harbor is very narrow and is not triggered by a data security program.

Under the new law, companies will not be liable for class action lawsuits resulting from a “cybersecurity event,” a term defined similarly to the one the SEC uses to describe public entities’ 8K reporting requirements: namely, an event resulting from unauthorized access to or misuse of an “information system” or “nonpublic” information stored on that system.

Nonpublic information is defined as including items such as social security numbers, driver’s license numbers and bank account numbers, which is consistent with the state’s violation reporting law. However, it also includes “biometric data,” an item not included in the violation reporting law.

There is an exception to this safe harbor. It does not apply if the event was caused by a company’s “willful and wanton misconduct or gross negligence.” Terms that are not defined in the law.

Put into practice: Given the exemptions in this protection and its limited scope (in Tennessee, not across the U.S.), it is not clear whether it provides comprehensive protection for businesses. However, it could be the start of a trend we may see in other states in the coming months.