Tennessee Raises Standards for Data Breach Class Actions

To address the rising number of data breach class action lawsuits, Tennessee has enacted Public Chapter 991, which sets a higher standard for plaintiffs. Signed into law on May 21, 2024, this legislation stipulates that plaintiffs must demonstrate "willful and wanton misconduct or gross negligence" by the defendant to establish liability. This standard deviates from other states’ data privacy laws and aims to protect businesses and support Tennessee’s economic growth.

Public Chapter 991 defines a cybersecurity event as any unauthorized access to or misuse of an information system or nonpublic information. The law applies to both for-profit and non-profit organizations, potentially encompassing a wide range of class actions. By requiring proof of more severe misconduct, the law aims to reduce the burden on businesses facing costly data breach litigation.

Tennessee’s approach is in line with its broader privacy law, the Tennessee Information Protection Act (TIPA), which provides a safe harbor for businesses adhering to certain privacy standards. The new law reflects Tennessee’s effort to balance consumer protection with economic interests, but its impact on plaintiffs and future legislation in other states remains to be seen.