Tennessee Cybersecurity Compliance: Laws, Requirements & What Businesses Must Do

Tennessee's regulatory landscape for data privacy and cybersecurity has undergone significant transformation in recent years. The passage of the Tennessee Information Protection Act (TIPA) in 2023, with an effective date of July 1, 2025, placed Tennessee among a growing number of states with comprehensive consumer data privacy frameworks. But TIPA does not exist in isolation. Tennessee businesses must also navigate the state's existing breach notification statute, the Identity Theft Deterrence Act, and — depending on their industry — federal mandates like HIPAA, GLBA, and CMMC that layer additional obligations on top of state law.

For organizations operating in Tennessee, compliance is not a single checkbox but an ongoing program that must account for multiple overlapping requirements. The state's outsized role in healthcare, logistics, and financial services means that most Tennessee businesses face industry-specific regulations in addition to general state law. This guide breaks down each major statute, explains what is required, and provides practical steps for building a compliance program that addresses Tennessee's specific obligations. The history of Tennessee data breaches demonstrates exactly why these laws exist and why enforcement is accelerating.

Tennessee's Primary Data Privacy & Cybersecurity Laws

Tennessee Information Protection Act (TIPA)

TIPA was signed into law by Governor Bill Lee on May 11, 2023, as part of SB 73/HB 1181 during the 113th General Assembly. The law takes effect on July 1, 2025, and establishes comprehensive consumer data privacy rights for Tennessee residents. TIPA applies to businesses that conduct business in Tennessee or target products and services to Tennessee residents, and that during a calendar year either control or process the personal information of at least 175,000 Tennessee residents, or control or process the personal information of at least 25,000 Tennessee residents and derive more than 50% of gross revenue from the sale of personal information.

Key provisions of TIPA include:

• Consumer rights: Tennessee residents may request to access, correct, delete, and obtain a portable copy of their personal information, as well as opt out of the sale of personal data, targeted advertising, and profiling

• Controller obligations: Businesses must limit data collection to what is adequate, relevant, and reasonably necessary for the disclosed purpose; implement reasonable data security practices; and provide clear privacy notices

• Data protection assessments: Required for processing activities involving targeted advertising, sale of personal information, profiling that presents a risk of harm, sensitive data processing, and any processing presenting a heightened risk

• Cure period: TIPA provides a 60-day cure period, allowing businesses to remedy alleged violations before the Attorney General takes enforcement action

• Enforcement: Exclusive enforcement authority rests with the Tennessee Attorney General. TIPA does not create a private right of action. Penalties follow the Tennessee Consumer Protection Act, up to $15,000 per violation

• Affirmative defense: Uniquely, TIPA provides an affirmative defense for businesses that maintain and comply with a written privacy program conforming to the NIST Privacy Framework or comparable recognized standards

Tennessee Breach Notification Statute (TCA 47-18-2107)

Tennessee's breach notification law, codified at Tennessee Code Annotated Section 47-18-2107, requires any person or business that conducts business in Tennessee and owns or licenses computerized personal information to notify affected Tennessee residents of a security breach. The law defines personal information as an individual's first name or first initial and last name, combined with one or more of the following unencrypted data elements: Social Security number, driver's license number, or financial account number with any required access code or password.

Notification must be provided in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement and any measures necessary to determine the scope of the breach. If more than 1,000 residents are affected, the business must also notify the three major credit reporting agencies. Violations constitute unfair or deceptive acts under the Tennessee Consumer Protection Act.

Tennessee Identity Theft Deterrence Act (TCA 39-14-150)

The Identity Theft Deterrence Act of 1999, codified at Tennessee Code Annotated Section 39-14-150, makes identity theft a criminal offense in Tennessee. The law prohibits the knowing transfer or use of identifying information of another person with the intent to commit any unlawful act. Penalties range from a Class D felony for losses under $60,000 to a Class B felony for losses exceeding $250,000. While this statute primarily creates criminal liability rather than regulatory compliance obligations, it establishes the legal framework under which identity theft resulting from data breaches is prosecuted in Tennessee and informs the severity with which courts treat data security failures.

Tennessee Personal and Commercial Computer Act (TCA 39-14-601)

This statute criminalizes unauthorized access to computer systems, distribution of malware, and denial-of-service attacks. It provides law enforcement with the tools to prosecute cyberattacks that originate in or target Tennessee systems. For businesses, the statute reinforces the importance of maintaining proper access controls and authorization frameworks, as both external attackers and insiders who exceed their authorized access may face prosecution under this law.

Data Breach Notification Requirements in Tennessee

The practical requirements for breach notification under TCA 47-18-2107 can be broken down into specific steps that Tennessee businesses must follow:

• Determine whether a breach has occurred: A breach of system security means the unauthorized acquisition of computerized personal information that materially compromises the security, confidentiality, or integrity of that information. If the data was encrypted and the encryption key was not compromised, notification is not required

• Assess the scope: Identify which Tennessee residents are affected and what categories of personal information were compromised

• Notify affected individuals: Provide written notice via mail, or electronic notice if consistent with the E-SIGN Act. Notice must include a description of the incident and contact information for the reporting entity

• Notify credit reporting agencies: Required when more than 1,000 Tennessee residents are affected, delivered simultaneously with individual notification

• Coordinate with law enforcement: Notification may be delayed at the request of law enforcement if disclosure would impede a criminal investigation

It is worth noting that Tennessee does not currently require direct notification to the state Attorney General's office for data breaches, though this may change as TIPA's enforcement framework matures. Businesses should monitor developments through the AG's office and consult the evolving Tennessee threat landscape for context on the types of breaches triggering enforcement attention.

Industry-Specific Compliance in Tennessee

Healthcare (HIPAA and State Law)

Given Nashville's status as the healthcare capital of the United States, HIPAA compliance is arguably more consequential in Tennessee than in any other state. The concentration of hospital operators, health insurers, electronic health record vendors, and healthcare IT companies means that an enormous share of Tennessee's economy is subject to the HIPAA Privacy and Security Rules. Tennessee law does not preempt HIPAA but adds additional requirements — notably, TCA 47-18-2107 covers entities that may not qualify as HIPAA-covered entities or business associates, extending breach notification obligations to a broader set of healthcare-adjacent businesses. Organizations should evaluate managed IT services for healthcare that integrate HIPAA compliance into their security operations.

Financial Services (GLBA and State Insurance Regulation)

Banks, insurance companies, and financial services firms operating in Tennessee must comply with the Gramm-Leach-Bliley Act's Safeguards Rule, which requires written information security programs, risk assessments, and vendor management. Tennessee's Department of Commerce and Insurance oversees licensed insurers and has adopted provisions aligned with the NAIC Insurance Data Security Model Law, requiring covered entities to implement comprehensive information security programs and report cybersecurity events within 72 hours.

Defense Contractors (CMMC)

Tennessee is home to Arnold Air Force Base in Tullahoma, the Oak Ridge National Laboratory, and the Y-12 National Security Complex — facilities central to national defense and energy research. Defense contractors supporting these installations must achieve Cybersecurity Maturity Model Certification (CMMC) to maintain Department of Defense contracts. CMMC Level 2 requires implementation of 110 security controls from NIST SP 800-171, with third-party assessment for contracts involving controlled unclassified information (CUI).

Education

Tennessee school districts and universities must comply with the Family Educational Rights and Privacy Act (FERPA) and, if they accept payment cards, PCI DSS. The Tennessee Department of Education has also established data governance standards for student information systems. The 2020 ransomware attack on Metro Nashville Public Schools demonstrated the practical consequences when educational institutions lack adequate cybersecurity controls.

Tennessee Compliance Checklist for Businesses

The following checklist provides a practical framework for Tennessee businesses building or evaluating their compliance programs:

• Inventory all personal information your organization collects, processes, stores, and shares — including data held by third-party vendors and cloud providers

• Determine your TIPA obligations — assess whether you meet the processing thresholds (175,000 residents or 25,000 with 50%+ revenue from data sales) and begin building a privacy program before the July 1, 2025 effective date

• Implement a written information security program that aligns with the NIST Cybersecurity Framework or NIST Privacy Framework to qualify for TIPA's affirmative defense

• Develop breach notification procedures consistent with TCA 47-18-2107, including pre-drafted notification templates, a communication plan, and defined escalation paths

• Conduct data protection assessments for all processing activities that TIPA identifies as high-risk, including targeted advertising, data sales, and sensitive data processing

• Review third-party vendor contracts to ensure data processing agreements include security requirements, breach notification obligations, and audit rights

• Establish employee training programs covering data handling procedures, phishing recognition, and incident reporting protocols

• Document everything — maintain records of compliance activities, risk assessments, and policy decisions to demonstrate good faith in the event of an investigation

How Businesses Stay Compliant

Compliance in Tennessee is not a one-time project. The regulatory environment is evolving, with TIPA adding significant new obligations in 2025 and federal frameworks like CMMC tightening requirements for defense contractors. Businesses that treat compliance as an ongoing operational function rather than an annual audit will be better positioned to adapt to new requirements.

• Assign clear ownership — designate a privacy officer or compliance lead responsible for monitoring regulatory changes and coordinating the organization's response

• Leverage the NIST framework advantage — TIPA's affirmative defense for businesses that conform to recognized standards like the NIST Privacy Framework provides a meaningful incentive to adopt a structured approach

• Integrate compliance into security operations — rather than maintaining separate compliance and security programs, embed regulatory requirements into your daily security monitoring and incident response procedures

• Conduct annual risk assessments that evaluate both cybersecurity threats and regulatory exposure, updating your security program based on findings

Organizations without dedicated compliance staff often partner with managed IT services providers that offer integrated compliance and security management, ensuring that technical controls stay aligned with Tennessee's regulatory requirements.

Frequently Asked Questions

When does the Tennessee Information Protection Act take effect?

TIPA takes effect on July 1, 2025. Businesses that meet the processing thresholds should begin building their privacy programs well in advance, including drafting privacy notices, establishing consumer rights request processes, and conducting required data protection assessments.

Does TIPA apply to small businesses?

TIPA's thresholds — processing data of at least 175,000 Tennessee residents, or 25,000 residents with majority revenue from data sales — effectively exempt most small businesses. However, small businesses that handle large volumes of consumer data or operate in data-intensive sectors should evaluate their processing volumes against these thresholds carefully. Regardless of TIPA applicability, all Tennessee businesses remain subject to the breach notification statute (TCA 47-18-2107).

What makes TIPA different from privacy laws in other states?

TIPA's most distinctive feature is its affirmative defense provision. Businesses that create and comply with a written privacy program conforming to the NIST Privacy Framework or comparable standards can use that compliance as a defense in enforcement actions. This provision is more explicit than similar safe harbors in other state laws and provides a concrete incentive for adopting recognized privacy frameworks. TIPA also includes a 60-day cure period, which is more generous than some states.

Does Tennessee require businesses to notify the Attorney General after a data breach?

Tennessee's current breach notification statute (TCA 47-18-2107) does not explicitly require notification to the Attorney General's office for data breaches. The law requires notification to affected individuals and, when more than 1,000 residents are affected, to major credit reporting agencies. This differs from states like Texas, which require AG notification when 250 or more residents are affected. However, the AG retains enforcement authority over the breach notification law through the Tennessee Consumer Protection Act.

Can individuals sue businesses for data breaches in Tennessee?

TIPA does not create a private right of action — only the Attorney General can enforce the law. However, individuals may bring claims under the Tennessee Consumer Protection Act for unfair or deceptive trade practices, pursue common law negligence or breach of contract claims, or — in healthcare contexts — file complaints with HHS that can lead to HIPAA enforcement actions. The BlueCross BlueShield of Tennessee and Community Health Systems breaches both resulted in significant legal actions brought by affected individuals through these alternative pathways.

What is the penalty for violating Tennessee's breach notification law?

Violations of TCA 47-18-2107 are treated as unfair or deceptive acts under the Tennessee Consumer Protection Act. The Attorney General can pursue civil penalties of up to $15,000 per violation, seek injunctive relief, and recover costs of investigation. For willful or knowing violations, treble damages may apply. Given that each affected individual can constitute a separate violation, penalties for large-scale breaches can accumulate rapidly.