KLS Keeping Law Simple Legislation in plain English

Straight-ahead summaries built from the official bill text. We keep the source links front and center and leave the decision up to you.

Back to Tennessee

HB1033 • 2026

Civil Procedure

AN ACT to amend Tennessee Code Annotated, Title 20; Title 29 and Title 47, Chapter 18, relative to data security.

Technology
Active

The official status still shows this bill as active or still awaiting another formal step.

Sponsor
Dixie, Akbari
Last action
2025-02-11
Official status
Assigned to s/c Civil Justice Subcommittee
Effective date
Not listed

Plain English Breakdown

The bill summary and text do not provide specific penalties for non-compliance.

Data Security Requirements for Businesses

This bill requires businesses that handle personal, health, or restricted information to create a cybersecurity program to protect against data breaches.

What This Bill Does

  • Defines 'covered entity' as any business handling specific types of sensitive information.
  • Requires covered entities to develop and follow a written cybersecurity plan with safeguards for protecting the information they manage.
  • Specifies that the cybersecurity plan must include measures to prevent, detect, and respond to threats and breaches.
  • Allows covered entities to use industry-recognized frameworks like NIST or HIPAA to meet these requirements.
  • Provides an affirmative defense in court if a breach occurs but the entity followed proper security protocols.

Who It Names or Affects

  • Businesses that handle personal, health, or restricted information.
  • Individuals whose data is protected by this legislation.

Terms To Know

Covered Entity
A business that handles personal, health, or restricted information.
Data Breach
An incident where sensitive data is accessed without authorization.

Limits and Unknowns

  • The bill does not create a private right of action for individuals affected by breaches.
  • It remains to be seen how strictly businesses will adhere to the new requirements and whether they will face penalties for non-compliance.
  • The effectiveness of the affirmative defense in court cases is uncertain.

Bill History

  1. 2026-03-09 Tennessee General Assembly

    Assigned to General Subcommittee of Senate Judiciary Committee

  2. 2025-02-12 Tennessee General Assembly

    Passed on Second Consideration, refer to Senate Judiciary Committee

  3. 2025-02-11 Tennessee General Assembly

    Assigned to s/c Civil Justice Subcommittee

  4. 2025-02-10 Tennessee General Assembly

    P2C, ref. to Judiciary Committee

  5. 2025-02-10 Tennessee General Assembly

    Introduced, Passed on First Consideration

  6. 2025-02-06 Tennessee General Assembly

    Intro., P1C.

  7. 2025-02-06 Tennessee General Assembly

    Filed for introduction

  8. 2025-02-05 Tennessee General Assembly

    Filed for introduction

Official Summary Text

CYBERSECURITY PROGRAM

This bill requires a
business that accesses, receives, stores, maintains, communicates, or processes personal information, personal health information, or restricted information in or through one or more system
s, networks, or services located in or outside of this state
("covered entity")
seeking an affirmative defense under this
bill

to
create, maintain, and comply with a written cybersecurity program that contains administrative, technical, operational, and ph
ysical safeguards for the protection of both personal information, personal health information, and restricted information at the time of the breach.

The program must be designed to
do all of the following:



Protect against a breach of security
.



Protect the security and integrity of personal information, personal health information, and restricted information
.



Protect against any anticipated threat to the security or integrity of personal information, personal health information, and restricted information
.



Continually evaluate and mitigate any reasonably anticipated internal or external threats or hazards that could lead to a data breach, including conducting annual privacy and security risk assessments
.



Communicate to any affected parties the extent of any risk posed and actions the affected parties may take to reduce any damages if a data breach is known to have occurred.

This bill requires t
he covered entity
to
have a chief information officer or security officer assigned to coordinate the program
and take measures to train employees on the necessary safety practices and regulations.

A covered entity satisfies
the above requirements
if the written cybersecurity program contains written protocols that reasonably conform to an industry-recognized cyb
ersecurity framework at the time of the breach
.

AFFIRMATIVE DEFENSE

This bill provides that a
covered entity that
satisfies the above requirements
is entitled to an affirmative defense to any cause of action in tort brought under the laws of this state or in the courts of this state, even if the covered entity's agent breached the covered entity's data, when it is alleged that the failure to implem
e
nt reasonable information security controls resulted in a data breach of personal information, personal health information, or restricted information.
However, a
covered entity may not claim
such
an affirmative defense if the covered entity had actual not
ice of a threat or hazard to the security or integrity of the personal information, personal health information, or restricted information and did not act to mitigate the threat or potential hazard within a reasonable time in accordance with the industry-
r
ecognized cybersecurity framework timeframe to make proper notifications to inform affected parties a breach has occurred.

CONFORMATION TO INDUSTRY-RECOGNIZED CYEBRSECURITY FRAMEWORK

This bill provides that a
covered entity's cybersecurity program reasonably conforms to an industry-recognized cybersecurity framework for purposes of this
bill
if, at the time of the breach
, any of the following criteria is met:



The cybersecurity program reasonably conforms to the current version of (i) the Framework for Improving Critical Infrastructure Cybersecurity developed by the national institute of standards and technology (NIST);

(ii) NIST Special Publication 800-171;

(iii) NIST Special Publications 800-53 and 800-53A;

(iv) the International Organization for Standardization and International Electrotechnical Commission's 27000 Family of Standards;

(v) the Federal Risk and Authorization Management Program Security Assessment Framework; or

(vi) the Center for Internet Security's Critical Security Controls for Effective Cyber Defense
.



The covered entity is regulated by the state, the federal government, or both, or is otherwise subject to, and the cybersecurity program reasonably conforms to, the entirety of the current version of one or more of the following at the time of the breach
: (i) t
he security requirements of the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA);

(ii) Title V of the Gramm-Leach-Bliley Act;

(iii) the Federal Information Security Modernization Act of 2014;

(iv) the Health Information Technology for Economic and Clinical Health (HITECH) Act; o
r
(v) another applicable federal or state regulation
.



The cybersecurity framework reasonably complies with both the current version of the payment card industry data security standard and conforms to the current version of another applicable industry-recognized cybersecurity framework.

However, i
f a new and final revision to a framework listed
above
is published, then
this bill requires
a
covered entity whose cybersecurity program reasonably conforms to such framework
to
conform the elements of its cybersecurity program to the revised framework, or another applicable framework listed
above
, within the timeframe provided, if any, in the rel
evant framework upon which the covered entity intends to rely to support its affirmative defense. In all cases, the covered entity must come into compliance with the new and final revision, or another framework listed
above
within the earlier of one year
after the publication date of the new and final revision or its stated compliance date, if any.

NO PRIVATE CAUSE OF ACTION

This bill does
not create a private right or cause of action, including a class action, with respect to any act or practice regula
ted under this
bill
.

Current Bill Text

Read the full stored bill text 
SENATE BILL 1421
By Akbari

HOUSE BILL 1033
By Dixie

HB1033
000603
- 1 -

AN ACT to amend Tennessee Code Annotated, Title 20;
Title 29 and Title 47, Chapter 18, relative to data
security.

BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF TENNESSEE:
SECTION 1. Tennessee Code Annotated, Title 47, Chapter 18, is amended by adding
the following as a new part:
47-18-3501.
As used in this part:
(1) "Business" means a limited liability company, limited liability
partnership, corporation, sole proprietorship, association, or other group,
however organized, and operating for profit or not for profit;
(2) "Covered entity" means a business that accesses, receives, stores,
maintains, communicates, or processes personal information, personal health
information, or restricted information in or through one (1) or more systems,
networks, or services located in or outside of this state;
(3) "Data breach":
(A) Means an intentional or unintentional act that has the potential
to result in electronic information owned, licensed to, or otherwise
protected by a covered entity being viewed, copied, modified, transmitted,
or destroyed in a manner that is reasonably believed to cause or have the
potential to cause material risk of fraud, identity theft, or other injuries or
damage to person or property; and
(B) Does not include:

- 2 - 000603

(i) Disclosure of personal information, personal health
information, or restricted information pursuant to a search warrant,
subpoena, or other court order, or pursuant to a subpoena, order,
or duty of a regulatory agency; and
(ii) Good faith transmission of personal information,
personal health information, or restricted information by the
covered entity's employee or business associate, or an agent on
behalf of the covered entity; provided, that the personal
information, personal health information, or restricted information
is not used for an unlawful purpose or subject to further
unauthorized disclosure;
(4) "Encrypted" means the use of an algorithmic process to transform
data into a form for which there is a low probability of assigning meaning without
the use of a confidential process or key;
(5) "Individual" means a natural person;
(6) "Personal health information" means information in the medical record
or designated record set that can be used to identify an individual and that was
created, used, or disclosed in the course of providing a healthcare service,
including diagnosis or treatment, and for which the standards, implementation
specifications, and requirements for protecting electronic protected health
information are described in 45 CFR 164, subpart C;
(7) "Personal information":
(A) Means information relating to an individual who can be
identified, directly or indirectly, in particular by reference to an identifier
such as a name, an identification number, social security number, driver's

- 3 - 000603

license number or state identification card number, passport number,
account number or credit or debit card number, location data, biometric
data, an online identifier, or one (1) or more factors specific to physical,
physiological, genetic, mental, economic, cultural, or social identity of
such individual; and
(B) Does not include personal health information or restricted
information; and
(8) "Restricted information" means information that is sensitive about an
individual, other than personal information or publicly available information, that
alone or combined with other information can be used to distinguish or trace an
individual's identity or can be linked to an individual if the information is not
encrypted, redacted, or altered by any method or technology in a manner that
renders the information unreadable, and the breach of which is likely to result in a
material risk of identity theft or other fraud to a person or property.
47-18-3502.
(a)
(1) A covered entity seeking an affirmative defense under this part shall
create, maintain, and comply with a written cybersecurity program that contains
administrative, technical, operational, and physical safeguards for the protection
of both personal information, personal health information, and restricted
information at the time of the breach.
(2) The program must be designed to:
(A) Protect against a breach of security;
(B) Protect the security and integrity of personal information,
personal health information, and restricted information;

- 4 - 000603

(C) Protect against any anticipated threat to the security or
integrity of personal information, personal health information, and
restricted information;
(D) Continually evaluate and mitigate any reasonably anticipated
internal or external threats or hazards that could lead to a data breach,
including conducting annual privacy and security risk assessments; and
(E) Communicate to any affected parties the extent of any risk
posed and actions the affected parties may take to reduce any damages
if a data breach is known to have occurred.
(3) The covered entity must have a chief information officer or security
officer assigned to coordinate the program and take measures to train employees
on the necessary safety practices and regulations.
(b) A covered entity satisfies subsection (a) if the written cybersecurity program
contains written protocols that reasonably conform to an industry-recognized
cybersecurity framework at the time of the breach, as described in § 47-18-3503.
(c) A covered entity that satisfies this section is entitled to an affirmative defense
to any cause of action in tort brought under the laws of this state or in the courts of this
state, even if the covered entity's agent breached the covered entity's data, when it is
alleged that the failure to implement reasonable information security controls resulted in
a data breach of personal information, personal health information, or restricted
information.
(d) A covered entity may not claim an affirmative defense under this section if
the covered entity had actual notice of a threat or hazard to the security or integrity of the
personal information, personal health information, or restricted information and did not
act to mitigate the threat or potential hazard within a reasonable time in accordance with

- 5 - 000603

the industry-recognized cybersecurity framework timeframe to make proper notifications
to inform affected parties a breach has occurred.
47-18-3503.
(a) A covered entity's cybersecurity program reasonably conforms to an industry-
recognized cybersecurity framework for purposes of this part if, at the time of the breach:
(1) The cybersecurity program reasonably conforms to the current
version of one (1) or more of the following, subject to subsection (b):
(A) The Framework for Improving Critical Infrastructure
Cybersecurity developed by the national institute of standards and
technology (NIST);
(B) NIST Special Publication 800-171;
(C) NIST Special Publications 800-53 and 800-53A;
(D) The International Organization for Standardization and
International Electrotechnical Commission's 27000 Family of Standards;
(E) The Federal Risk and Authorization Management Program
Security Assessment Framework; or
(F) The Center for Internet Security's Critical Security Controls for
Effective Cyber Defense; or
(2) The covered entity is regulated by the state, the federal government,
or both, or is otherwise subject to, and the cybersecurity program reasonably
conforms to, the entirety of the current version of one (1) or more of the following
at the time of the breach, subject to subsection (b):
(A) The security requirements of the federal Health Insurance
Portability and Accountability Act of 1996 (HIPAA), as set forth in 45 CFR
part 164, subpart C;

- 6 - 000603

(B) Title V of the Gramm-Leach-Bliley Act, Pub. L. No. 106-102,
as amended;
(C) The Federal Information Security Modernization Act of 2014,
Pub. L. No. 113-283;
(D) The Health Information Technology for Economic and Clinical
Health (HITECH) Act, as set forth in 45 CFR part 164; or
(E) Another applicable federal or state regulation; or
(3) The cybersecurity framework reasonably complies with both the
current version of the payment card industry data security standard and conforms
to the current version of another applicable industry-recognized cybersecurity
framework, subject to subsection (b).
(b) If a new and final revision to a framework listed in subsection (a) is
published, then a covered entity whose cybersecurity program reasonably conforms to
such framework shall conform the elements of its cybersecurity program to the revised
framework, or another applicable framework listed in subsection (a), within the timeframe
provided, if any, in the relevant framework upon which the covered entity intends to rely
to support its affirmative defense. In all cases, the covered entity must come into
compliance with the new and final revision, or another framework listed in subsection (a)
within the earlier of one (1) year after the publication date of the new and final revision or
its stated compliance date, if any.
47-18-3504.
This part does not create a private right or cause of action, including a class
action, with respect to any act or practice regulated under this part.
SECTION 2. This act takes effect July 1, 2025, the public welfare requiring it.