Tennessee Enacts Cybersecurity Safe Harbor Against Class Action Lawsuits Ritter Gallagher

pppOn May 21 2024 Tennessee Governor Bill Lee signed HB 2434 a law designed to shield businesses from lawsuits related to a cybersecurity event The law comes on the heels of highprofile ransomware attacks against Nashville based United Healthcare Group and Ascension Saint Thomas both of which are now facing numerous class action lawsuits ppHB2434 shields private entities 1 from class action liability that originates from a cybersecurity event provided that the event was not the result of willful wanton or gross negligence on the part of the private entity Cybersecurity event is defined as an event resulting in unauthorized access to or disruption or misuse of an information system or nonpublic information stored on an information system Nonpublic information is information that is not publicly available and that concerns a persons name or other identifier in combination with a Social Security number a drivers license number or nondriver identification card number a financial account number or credit or debit card number a security code access code or password that would permit access to the persons financial accounts or biometric records ppNotably these definitions differ from how other Tennessee laws define breach and personal information 2 Because Tennessee law does not always feature a private right of action claimants in data breach class action lawsuits are often left to rely on common law tort theories such as negligence Accordingly HB2434 amends the Tennessee Code Annotateds section on tortious liability ppData breach class actions have exploded in recent years Change Healthcare suffered a ransomware attack in February 2024 and by April was mounting its defense against dozens of class action lawsuits Similarly Ascension St Thomas was first impacted by ransomware on May 8 2024 An Ascension patient filed a class action lawsuit only sixteen days later In the 44page complaint the Plaintiff alleges that the breach was the result of Ascensions negligence ie a failure to use reasonable security measures to protect patients personal information ppHB 2434s requirement that gross negligence be present for a private entity to be subject to a class action lawsuit is legally significant Under Tennessees common law there is a clear difference between negligence and gross negligence The latter requires evidence of a defendants subjective mental state also referred to as willful or wanton misconduct 3ppThe question that naturally follows is what are the negligence thresholds in the context of a security event Take Change Healthcares admission that the root cause of the incident was the failure to implement multifactor authentication on a remote access platform Simply and without detailing the basic elements of a negligence claim to establish that Change Healthcare exhibited gross negligence a class action plaintiffs attorney would need to show that the company was aware of the absence of multifactor authentication and disregarded the potential repercussions While certainly not impossible this is a far higher evidentiary bar to hurdle ppHB2434 went into effect upon Governor Lees signing Therefore the safe harbor could dramatically impact Change Healthcare and Ascensions defense against future lawsuits ppAs we discussed above businesses cannot view HB2434 as a blanket exemption Most organizations particularly those in highly regulated industries possess internal documents that contain information about the businesss cybersecurity practices These materials are highly relevant to potential data breach litigation and precisely what plaintiffs aim to use as the basis of a cyberrelated negligence claim Examples include prebreach documentation such as gap analyses and risk assessments tabletop exercise and employee training reports internal privacy and security policies audit reports or memorialized analyses of prior incidentsppConsequently organizations should attempt to protect such documentation from discovery under the attorneyclient privilege or work product doctrine 4 With the involvement of outside counsel at the outset of governance risk and compliance efforts surrounding data security a legal argument exists that certain cybersecurity steps were taken to help the lawyer explain to the organization what legal obligations it has and whether such obligations arewere being met ppUsing the aforementioned hypothetical about a plaintiffs burden of proving that Change Healthcare possessed prior knowledge that MFA was not in place the discovery of a past risk assessment or security audit reflecting this specific technical omission could be used to support a finding of gross negligence Whether such documentation would be subject to discovery in the first place likely depends upon the presence of attorneyclient privilegeppTherefore organizations who wish to take advantage of the newly enacted Tennessee data breach safe harbor should adhere to the following three principlesppInvolve outside counsel in the creation of cybersecurity plans and policies analyses and assessments and other related materials both pre and postincidentppStructure all documentation to reflect that the underlying purpose is to obtain legal advice from outside counsel ie an analysis of whether an organizations security requirements comply with laws and regulationsppUse outside counsel to engage vendors on behalf of the clientbusiness for the purpose of providing legal advice note that an independent services agreement should be executed with vendors in the case of a preexisting or ongoing engagementppQuestions about the Tennessee data breach safe harbor and how it may affect your organization Reach out to a Ritter Gallagher attorney at contactrittergallaghercompppp1 A private entity is defined as a corporation religious or charitable organization association partnership limited liability company limited liability partnership or other private business entity whether organized forprofit or notforprofitpp2 TCA 47182107 and TCA 471833023 Lawson v Hawkins Cnty 661 SW3d 54 61 Tenn 2023pp4 Simply put attorneyclient privilege refers to communications made for the purpose of obtaining legal advice from an attorney while the work product doctrine is the protection of documentation prepared in anticipation of litigation pp5133 Harding Pike Suite B10 207 Nashville TN 37205ppPrivacy Notice  Legal Notice and Disclaimerp