Tennessee Raises the Bar on Data Breach Class Actions

In response to a growing number of data breach class action lawsuits, Tennessee has enacted Public Chapter 991, which redefines the standards applicable to these cases. Specifically, plaintiffs in these cases must now plead something more than simple negligence. Moving forward, plaintiffs will be required to show “willful and wanton misconduct or gross negligence” before liability can be imposed. This development is, generally speaking, a deviation from other state data privacy laws. However, the law’s supporters argue it is necessary to protect businesses and Tennessee’s growing economy. 

Public Chapter 991 Explained

Public Chapter 991 was signed into law on May 21, 2024. It provides that a “private entity is not liable in a class action lawsuit resulting from a cybersecurity event unless the cybersecurity event was caused by willful and wanton misconduct or gross negligence on the part of the private entity.” T.C.A. § 29-34-215(b). A cybersecurity event is defined as an “event resulting in unauthorized access to, or disruption or misuse of, an information system or nonpublic information stored on an information system.” T.C.A. § 29-34-215(a)(1). An information system refers to: 

1. A discrete set of electronic information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of electronic nonpublic information; or 

2. A specialized system, including an industrial or process control system, a telephone switching and private branch exchange system, and an environmental control system. 

T.C.A. § 56-2-1003(9). Notably, this section of Tennessee’s Code defines “private entity” to include for-profit corporations and not-for-profit organizations. T.C.A. § 29-34-215(a)(4).  

These broad definitions have the potential to capture a vast scope of class actions resulting from data breaches. Almost all cyberattacks relate to unauthorized access, disruption, or misuse of an information system or nonpublic information stored on such a system. In class actions arising from such events, Tennessee plaintiffs now must show the targeted organization engaged in willful and wanton misconduct or gross negligence, as opposed to merely demonstrating a failure to use reasonable care.  

The Purpose Behind the Law

Tennessee’s law appears to be a response to the rising number of data breach class actions and their accompanying costs to businesses. A recent IBM report found the average cost of a data breach in 2023 was $4.45 million, a 15% increase from 2020. In addition to deciphering what data was lost, stolen, or corrupted and minimizing the disruption of operations, businesses have to contend with the negative publicity resulting from a data breach. Tennessee’s law could hinder class action lawsuits in their earliest stages. However, the response from the plaintiff’s bar remains to be seen. 

The law’s apparent attempt to protect businesses suffering from costly data breaches is consistent with other aspects of Tennessee’s privacy law, the Tennessee Information Protection Act (TIPA). While Public Chapter 991 does not provide a specific cybersecurity standard for businesses to follow, the TIPA grants an affirmative defense to companies who create, maintain, and comply with a written privacy policy that “reasonably conforms” to the National Institute of Standards and Technology Privacy Framework or “other documented policies, standards, and procedures designed to safeguard consumer privacy.” Public Chapter No. 408 §§ 47-18-3213(a) (Tennessee 2023). With the TIPA set to go into effect on July 1, 2025, Tennessee will join only a few other states offering similar safe harbor provisions. As the frequency and costs of data breach class actions grows, it remains to be seen whether other state legislatures will follow Tennessee’s approach in Public Chapter 991 and the TIPA, or if mounting pressure from the plaintiff’s bar and privacy rights advocates will successfully prevent similar statutes in the future. 

This article originally appeared on Freeman Mathis & Gary LLP.

About the Authors:

Matthew P. Delfino is an associate at Freeman Mathis & Gary LLP. matthew.delfino@fmglaw.com

Curt M. Graham is a partner at Freeman Mathis & Gary LLP. cgraham@fmglaw.com

Justin J. Boron is a partner at Freeman Mathis & Gary LLP. jboron@fmglaw.com