Major industries in Tennessee include Health Care, Education, Finance, Management, Entertainment, Manufacturing, Agriculture, Technology, and Professional, Scientific & Technical Services.[1] Many of these industries are enticing targets for cyber-attacks. Further, there is a need for data privacy reform in Tennessee.[2] While there is a need for data privacy reform, cybersecurity standards are required to make any such reform viable. By advocating best practices for cybersecurity alongside data privacy legislation, Tennessee can ensure consumer data is protected and our businesses avoid costly liability.

While they are often used interchangeably, cybersecurity and data privacy address separate, yet related principles. Cybersecurity has been defined as “the activity or process, ability or capability, or state whereby information and communications systems and the information contained therein are protected from . . . or defended against damage, unauthorized use or modification, or exploitation.”[3] Data privacy, on the other hand, “involves individuals’ ability to control their personal data.”[4] Cybersecurity assists data privacy by reducing the likelihood of unauthorized disclosure.[5] Data privacy aids cybersecurity by providing individuals with opportunities to prevent certain information from being available for disclosure.

A Tennessee data privacy law should guarantee Tennessee residents certain rights afforded to European Union residents under the General Data Protection Regulation (“GDPR”) or to California residents under the California Consumer Privacy Act (“CCPA”).[6] The rights that Tennessee should, at a minimum, adopt are the right of access, right to rectification, right to be forgotten, right to restriction of processing, right to object, and the right to opt-out of the sale of personal data to third parties.[7] Further, a Tennessee data privacy law would give consumers a civil right of action against data controllers that infringe upon data subject rights.[8]

It should be noted that a Tennessee right to be forgotten must be balanced with freedom of speech and designate categories of data that may be deleted. For example, data about a consumer may or may not be subject to erasure based on factors such as the sensitivity of the data, such as medical and health information, certain financial information (i.e., bank account numbers) and government-issued identification numbers; public interest; and public or private figure distinctions. If an article is written about a political candidate, the likelihood of the right to be forgotten applying may be low unless the article contains sensitive data. Statistical data not of public interest on a private figure would likely be subject to erasure.[9]

Adequate cybersecurity standards help prevent personal data from unauthorized access. Ohio’s “Data Protection Act” provides a legal safe harbor to businesses from data breach suits if a business has a cybersecurity program that meets certain standards, including substantial compliance with certain National Institute of Standards and Technology’s (“NIST”) special publications, among other security frameworks.[10] Vermont’s Data Broker Regulation applies to businesses that collect personal data but do not have a direct relationship with the consumer and require those data brokers to adopt a specified information security program.[11] Failure to meet those standards is considered an unfair or deceptive act under Vermont’s Consumer Protection Act.[12] Ohio’s law offers the carrot, while Vermont’s law swings the stick. Small companies are less likely to meet the burden of a dedicated information security staff.[13] Rather than penalizing non-compliant companies, Tennessee should adopt a safe harbor provision setting cybersecurity standards.[14]To be clear, an appropriate Tennessee safe harbor should cover data breaches, not civil rights of action proposed for infringements of data rights.

Cyber-attacks and, as a result, cybersecurity is constantly evolving. State-mandated cybersecurity standards must either be adequate to last years before amendment or flexible. NIST special publications are frequently revised and commented upon.[15] The NIST special publications provide specific guidelines, technical specifications, recommendations and reference materials.[16] Further, some believe NIST’s “Cybersecurity Framework” may become the baseline for commercially reasonable cybersecurity practices.[17] The FTC and other regulatory agencies consider NIST’s Cybersecurity Framework the “gold standard” in cybersecurity practices.[18] Therefore, Tennessee should adopt NIST cybersecurity standards in a safe harbor provision.

In the wake of events such as the Facebook-Cambridge Analytica scandal, data privacy and cybersecurity issues are boiling over. While businesses will want to continue to reap the benefits of the data market and avoid costly cybersecurity programs, consumers will continue to search for answers to why their data is sold and breached. By implementing data privacy rights, Tennessee can afford residents control over their personal data and what exists in the vacuum of the Internet. By implementing NIST cybersecurity standards through a safe harbor provision, not only are businesses more likely to adopt such standards, but Tennessee resident data will more likely be adequately protected. Therefore, Tennessee data privacy and cybersecurity reform presents a win-win opportunity for consumers and businesses.

T. Bruce Shank II

Bruce Shank is a Legal Intern with Morehous Legal Group, PLLC, focusing on data privacy and transactions for start-up companies.


[1] TN Department of Labor & Workforce Development, Tennessee’s Economy: 2018 Reference Guide (2019),

[2] T. Bruce Shank II, The Data Privacy Revolution: How the Era of the General Data Protection Regulation Impacts Tennessee Businesses, 21 Transactions: Tenn. J. Bus. L. 139, 168 (2019).

[3] Jeff Kosseff, Positive Cybersecurity Law: Creating a Consistent and Incentive-Based System, 19 Chap. L. Rev. 401, 404-405 (2016) (quoting the National Initiative for Cybersecurity Careers and Studies definition).

[4] Id.

[5] Id.

[6] Regulation 2016/679, of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, and Repealing Council Directive 95/46/EC, 2016 O.J. (L 119) 59 cor. 2018 O.J. (L 127) 61 [hereinafter “GDPR”]; Assemb. B. 375, 2017 Assemb., Reg. Sess. (Cal. 2018) [hereinafter “CCPA”].

[7] The right to data portability under the GDPR is specifically excluded.

[8] GDPR, supra note 6, art. 4(7) defines “controller” as “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.”

[9] These examples provide a basic understanding of how the right to be forgotten can apply in Tennessee. A much more thorough and concrete rule is necessary and would likely be developed by the statute and case law.

[10] S.B. 220, 132nd Gen. Assemb., Reg. Sess. (Ohio 2018).

[11] H.B. 764, 2017 H., Legis. Sess. (Vt. 2018).

[12] Vermont Office of the Attorney General, Guidance on Vermont’s Act 171 of 2018: Data Broker Regulation (December 11, 2019),

[13] Kosseff, supra note 3, at 412-413.

[14] Id.

[15] Nat’l Inst. of Standards and Tech., Computer Security Resource Center,

[16] Id.

[17] Scott J. Schackelford et al., Toward a Global Cybersecurity Standard of Care?: Exploring the Implications of the 2014 NIST Cybersecurity Framework on Shaping Reasonable National and International Cybersecurity Practices, 50 Tex. Int’l L. J. 305, 310 n.22 (2015).

[18] Shawn E. Tuma, Real Cybersecurity that Companies Need to Protect Themselves and Their Digital Assets, 2018 TXCLE-IPLW 1-V (2018).


Leave a Reply

Your email address will not be published. Required fields are marked *