Priya Patel
TLDR:
- Tennessee proposed a bill to make it harder to sue companies after data leaks.
- The bill would require victims to prove the company’s cybersecurity practices were insufficient.
A proposed bill in Tennessee, introduced by Republican state Sen. Shane Reeves, aims to make it more challenging for victims of data breaches to sue companies. The bill, Senate bill 2018, would declare a private entity not civilly liable in a class action resulting from a cybersecurity event unless it was caused by willful, wanton, or gross negligence on the part of the private entity.
Current Tennessee law mandates companies to take “reasonable care” to prevent data leaks, but under this proposed bill, victims would have to demonstrate that the company’s cybersecurity practices were insufficient to prevent the attack. If passed, this policy would be one of the most lenient in the country and out of step with federal recommendations from the Cybersecurity and Infrastructure Security Agency.
The bill has been introduced in response to multiple data breaches in healthcare companies in Tennessee, exposing personal and financial data of state residents. However, critics argue that easing liability for companies could weaken cybersecurity protections and hinder accountability. The bill’s outcome remains uncertain as the debate continues between proponents and opponents.
