Evaluating the “NIST Safe Harbor” in the Tennessee Information Protection Act featured image

Evaluating the “NIST Safe Harbor” in the Tennessee Information Protection Act

by John DiGiacomo

Partner

Internet Law

In May 2023, Tennessee enacted a consumer data/information protection statute called the Tennessee Information Protection Act (“TIPA”). See here for the text of the Act. In other articles, the consumer privacy and compliance lawyers here at Revision Legal have offered discussions of various aspects of the TIPA. In this article, we focus on the “NIST safe harbor” – affirmative defense – that is contained in the TIPA.This is for companies that comply with the privacy framework established and published by the federal National Institute of Standards and Technology (“NIST”), which is part of the U.S. Commerce Department. NIST is probably more famous for its framework and standards established for cybersecurity protocols and procedures. However, NIST has also created a framework for how businesses can protect the privacy of network and internet users. Generally, this is called the NIST Privacy Framework.

Under the TIPA, compliance by a company with the NIST Privacy Framework is an affirmative defense to any alleged violations of the TIPA. This affirmative defense — or “safe harbor” — is contained in section 47-18-3213, entitled “Affirmative defense – Voluntary privacy program.” It is worth looking at the exact language. The provision states:

(a) A controller or processor has an affirmative defense to a cause of action for a violation of this part if the controller or processor creates, maintains, and complies with a written privacy policy that:

(1)(A) Reasonably conforms to the National Institute of Standards and Technology (NIST) privacy framework entitled “A Tool for Improving Privacy through Enterprise Risk Management Version 1.0.” or other documented policies, standards, and procedures designed to safeguard consumer privacy; and

(B) Is updated to reasonably conform with a subsequent revision to the NIST or comparable privacy framework within two (2) years of the publication date stated in the most recent revision to the NIST or comparable privacy framework; and

(2) Provides a person with the substantive rights required by this part.

The current NIST Privacy Framework was published in 2020. See here. The Privacy Framework will be familiar to companies that have used the NIST cybersecurity framework. The Privacy Framework is about 8 or 9 pages with dozens of specific issues and tasks to address. Broadly, the tasks are broken into five areas or functions: identify, govern, control, communicate, and protect. Generally, for each, there is a broad definition of the area/function, a number of sub-tasks, and a larger number of specific tasks. Here is a sampling for the first two:

  • Identify — broadly, this is defined as “Develop the organizational understanding to manage privacy risk for individuals arising from data processing,” with one sub-task example being “inventory and mapping” with a specific task including: “Systems/products/services that process data are inventoried”
  • Govern — broadly, this is defined as “Develop and implement the organizational governance structure to enable an ongoing understanding of the organization’s risk management priorities that are informed by privacy risks” — sub-tasks include: “monitoring and review” with specific tasks including such things as “risk management processes are established, managed, and agreed to by organizational stakeholders” and “policies, processes, and procedures for assessing compliance with legal requirements and privacy policies are established and in place”

Evaluation

It is unclear whether this TIPA “safe harbor” is really much of a safe harbor. On the one hand, starting with the NIST Privacy Framework as a template for bringing a company into compliance with the TIPA might be feasible. That would, in theory, trigger the safe harbor if violations are alleged. On the other hand, it might be easier and more cost-effective to start with and explicitly follow the requirements of the TIPA. Moreover, any conflicts or ambiguities between the TIPA and the NIST Privacy Framework will almost certainly be resolved in favor of the TIPA. As a general rule, it is better to work steadily to achieve compliance with a statute than to “chase a safe harbor.”

Further, it is certainly not clear or obvious how one would go about proving — during an investigation — that one is in “reasonable” conformity with the NIST Privacy Framework. It should also be noted that the NIST Privacy Framework is now three years old, which might suggest that the framework is not a high priority for the Commerce Department. As such, it will become less and less authoritative.

Contact The Consumer Data Privacy and Compliance Attorneys At Revision Legal

For more information, contact the experienced Consumer Data Privacy and Compliance Lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474.

Extra, Extra!
Recent Posts

Worrying About SaaS Agreements and Cross-Border Data Transfers

Worrying About SaaS Agreements and Cross-Border Data Transfers

Internet Law

When your business is contemplating a software-as-a-service (“SaaS”) agreement, there are a large number of considerations. An SaaS agreement is, of course, a subscription service where a software package is centrally hosted and accessed by a SaaS company’s customers. Issues to be aware of include: As important as the foregoing issues are, one often overlooked […]

Read more about Worrying About SaaS Agreements and Cross-Border Data Transfers

FAQs About Legal Services for Social Media Influencers, Bloggers, and Online Content Creators

FAQs About Legal Services for Social Media Influencers, Bloggers, and Online Content Creators

Internet Law

If you are serious about your career as a social media influencer, blogger, and/or online content creator, you ARE going to need legal services at some point. Online creation is big business now, and big business means the need for legal services. The Internet and Social Media Attorneys at Revision Legal are here to help. […]

Read more about FAQs About Legal Services for Social Media Influencers, Bloggers, and Online Content Creators

Take it Down Act: Ban on “Revenge Porn” Goes National

Take it Down Act: Ban on “Revenge Porn” Goes National

Internet Law

Congress recently passed the Take It Down Act (“TIDA”), and the law was signed by the President in mid-May 2025. See AP media report here. Interestingly enough, “Take It Down” is an acronym for “Tools to Address Known Exploitation by Immobilizing Technological Deepfakes on Websites and Networks Act.” TIDA prohibits what is commonly called “revenge […]

Read more about Take it Down Act: Ban on “Revenge Porn” Goes National

Put Revision Legal on your side

Let's Discuss Your Case