Tennessee Enacts Cybersecurity Safe Harbor Against Class Action Lawsuits

On May 21, 2024, Tennessee Governor Bill Lee signed HB 2434, a law designed to shield businesses from lawsuits related to a cybersecurity event. The law comes on the heels of high-profile ransomware attacks against Nashville based United Healthcare Group and Ascension Saint Thomas, both of which are now facing numerous class action lawsuits.

Overview

HB2434 shields private entities [1] from class action liability that originates from a “cybersecurity event” provided that the event was not the result of willful, wanton, or gross negligence on the part of the private entity. Cybersecurity event is defined as “an event resulting in unauthorized access to, or disruption or misuse of, an information system or nonpublic information stored on an information system.” Nonpublic information is information that is not publicly available and that concerns a person’s name or other identifier, in combination with: a Social Security number; a driver’s license number or non-driver identification card number; a financial account number or credit or debit card number; a security code, access code, or password that would permit access to the person's financial accounts; or biometric records.

Notably, these definitions differ from how other Tennessee laws define “breach” and “personal information.” [2] Because Tennessee law does not always feature a private right of action, claimants in data breach class action lawsuits are often left to rely on common law tort theories (such as negligence). Accordingly, HB2434 amends the Tennessee Code Annotated’s section on tortious liability.

Data Breach Class Actions

Data breach class actions have exploded in recent years. Change Healthcare suffered a ransomware attack in February 2024, and by April was mounting its defense against dozens of class action lawsuits. Similarly, Ascension St. Thomas was first impacted by ransomware on May 8, 2024. An Ascension patient filed a class action lawsuit only sixteen days later. In the 44-page complaint, the Plaintiff alleges that the breach was the result of Ascension’s negligence (i.e., a failure to use reasonable security measures to protect patients’ personal information).

HB 2434’s requirement that gross negligence be present for a private entity to be subject to a class action lawsuit is legally significant. Under Tennessee's common law, there is a clear difference between negligence and gross negligence. The latter requires evidence of a defendant's subjective mental state, also referred to as willful or wanton misconduct. [3]

The question that naturally follows is: what are the negligence thresholds in the context of a security event? Take Change Healthcare’s admission that the root cause of the incident was the failure to implement multi-factor authentication on a remote access platform. Simply, and without detailing the basic elements of a negligence claim, to establish that Change Healthcare exhibited gross negligence, a class action plaintiff's attorney would need to show that the company was aware of the absence of multi-factor authentication and disregarded the potential repercussions. While certainly not impossible, this is a far higher evidentiary bar to hurdle.

HB2434 went into effect upon Governor Lee’s signing. Therefore, the safe harbor could dramatically impact Change Healthcare and Ascension’s defense against future lawsuits.

Effective Use of the Safe Harbor

As we discussed above, businesses cannot view HB2434 as a blanket exemption. Most organizations, particularly those in highly regulated industries, possess internal documents that contain information about the business’s cybersecurity practices. These materials are highly relevant to potential data breach litigation and precisely what plaintiffs’ aim to use as the basis of a cyber-related negligence claim. Examples include pre-breach documentation such as gap analyses and risk assessments, tabletop exercise and employee training reports, internal privacy and security policies, audit reports, or memorialized analyses of prior incidents.

Consequently, organizations should attempt to protect such documentation from discovery under the attorney-client privilege or “work product” doctrine. [4] With the involvement of outside counsel at the outset of governance, risk and compliance efforts surrounding data security, a legal argument exists that certain cybersecurity steps were taken to help the lawyer explain to the organization what legal obligations it has and whether such obligations are/were being met.

Using the aforementioned hypothetical about a plaintiff’s burden of proving that Change Healthcare possessed prior knowledge that MFA was not in place, the discovery of a past risk assessment or security audit reflecting this specific technical omission could be used to support a finding of gross negligence. Whether such documentation would be subject to discovery in the first place likely depends upon the presence of attorney-client privilege.

Therefore, organizations who wish to take advantage of the newly enacted Tennessee data breach safe harbor should adhere to the following three principles:

1. Involve outside counsel in the creation of cybersecurity plans and policies, analyses and assessments, and other related materials, both pre- and post-incident

2. Structure all documentation to reflect that the underlying purpose is to obtain legal advice from outside counsel (i.e., an analysis of whether an organization’s security requirements comply with laws and regulations)

3. Use outside counsel to engage vendors on behalf of the client-business for the purpose of providing legal advice (note that an independent services agreement should be executed with vendors in the case of a preexisting or ongoing engagement)

Questions about the Tennessee data breach safe harbor and how it may affect your organization? Reach out to a Ritter Gallagher attorney at contact@rittergallagher.com.

[1] A “private entity” is defined as “a corporation, religious or charitable organization, association, partnership, limited liability company, limited liability partnership, or other private business entity, whether organized for-profit or not-for-profit.”

[2] T.C.A. § 47-18-2107 and T.C.A. § 47-18-3302.
[3] Lawson v. Hawkins Cnty., 661 S.W.3d 54, 61 (Tenn. 2023).

[4] Simply put, attorney-client privilege refers to communications made for the purpose of obtaining legal advice from an attorney, while the work product doctrine is the protection of documentation prepared in anticipation of litigation.