In May 2023, Tennessee enacted a consumer data/information protection statute called the Tennessee Information Protection Act (“TIPA”). See here for the text of the Act. In other articles, the consumer privacy and compliance lawyers here at Revision Legal have offered discussions of various aspects of the TIPA. In this article, we focus on the “NIST safe harbor” – affirmative defense – that is contained in the TIPA.This is for companies that comply with the privacy framework established and published by the federal National Institute of Standards and Technology (“NIST”), which is part of the U.S. Commerce Department. NIST is probably more famous for its framework and standards established for cybersecurity protocols and procedures. However, NIST has also created a framework for how businesses can protect the privacy of network and internet users. Generally, this is called the NIST Privacy Framework.

Under the TIPA, compliance by a company with the NIST Privacy Framework is an affirmative defense to any alleged violations of the TIPA. This affirmative defense — or “safe harbor” — is contained in section 47-18-3213, entitled “Affirmative defense – Voluntary privacy program.” It is worth looking at the exact language. The provision states:

(a) A controller or processor has an affirmative defense to a cause of action for a violation of this part if the controller or processor creates, maintains, and complies with a written privacy policy that:

(1)(A) Reasonably conforms to the National Institute of Standards and Technology (NIST) privacy framework entitled “A Tool for Improving Privacy through Enterprise Risk Management Version 1.0.” or other documented policies, standards, and procedures designed to safeguard consumer privacy; and

(B) Is updated to reasonably conform with a subsequent revision to the NIST or comparable privacy framework within two (2) years of the publication date stated in the most recent revision to the NIST or comparable privacy framework; and

(2) Provides a person with the substantive rights required by this part.

The current NIST Privacy Framework was published in 2020. See here. The Privacy Framework will be familiar to companies that have used the NIST cybersecurity framework. The Privacy Framework is about 8 or 9 pages with dozens of specific issues and tasks to address. Broadly, the tasks are broken into five areas or functions: identify, govern, control, communicate, and protect. Generally, for each, there is a broad definition of the area/function, a number of sub-tasks, and a larger number of specific tasks. Here is a sampling for the first two:

• Identify — broadly, this is defined as “Develop the organizational understanding to manage privacy risk for individuals arising from data processing,” with one sub-task example being “inventory and mapping” with a specific task including: “Systems/products/services that process data are inventoried”
• Govern — broadly, this is defined as “Develop and implement the organizational governance structure to enable an ongoing understanding of the organization’s risk management priorities that are informed by privacy risks” — sub-tasks include: “monitoring and review” with specific tasks including such things as “risk management processes are established, managed, and agreed to by organizational stakeholders” and “policies, processes, and procedures for assessing compliance with legal requirements and privacy policies are established and in place”

Evaluation

It is unclear whether this TIPA “safe harbor” is really much of a safe harbor. On the one hand, starting with the NIST Privacy Framework as a template for bringing a company into compliance with the TIPA might be feasible. That would, in theory, trigger the safe harbor if violations are alleged. On the other hand, it might be easier and more cost-effective to start with and explicitly follow the requirements of the TIPA. Moreover, any conflicts or ambiguities between the TIPA and the NIST Privacy Framework will almost certainly be resolved in favor of the TIPA. As a general rule, it is better to work steadily to achieve compliance with a statute than to “chase a safe harbor.”

Further, it is certainly not clear or obvious how one would go about proving — during an investigation — that one is in “reasonable” conformity with the NIST Privacy Framework. It should also be noted that the NIST Privacy Framework is now three years old, which might suggest that the framework is not a high priority for the Commerce Department. As such, it will become less and less authoritative.

Contact The Consumer Data Privacy and Compliance Attorneys At Revision Legal

For more information, contact the experienced Consumer Data Privacy and Compliance Lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474.