Information security program: means the administrative, technical, and physical safeguards that a licensee uses to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle nonpublic information. See Tennessee Code 56-2-1003
Nonpublic information: means information that is not publicly available and that is:(A) Business-related information of a licensee, in which the tampering with, unauthorized disclosure of, access to, or use of, would cause a material adverse impact to the business, operations, or security of the licensee. See Tennessee Code 56-2-1003
Representative: when applied to those who represent a decedent, includes executors and administrators, unless the context implies heirs and distributees. See Tennessee Code 1-3-105
United States: includes the District of Columbia and the several territories of the United States. See Tennessee Code 1-3-105
written: includes printing, typewriting, engraving, lithography, and any other mode of representing words and letters. See Tennessee Code 1-3-105
(1) This part does not apply to:
(A) A licensee who employs less than twenty-five (25) individuals, regardless of whether the individuals are employees or independent contractors;(B) A licensee with less than five million dollars ($5,000,000) in gross annual revenue; or(C) A licensee with less than ten million dollars ($10,000,000) in year-end total assets.(2) A licensee subject to and governed by the privacy, security, and breach notification rules issued by the United Statesdepartment of health and human services, 45 CFR Parts 160 and 164, established pursuant to the federal Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. § 1320d et seq.), and the federal Health Information Technology for Economic and Clinical Health (HITECH) Act (42 U.S.C. § 300jj et seq. and 42 U.S.C. § 17901 et seq.), and that maintains nonpublic information in the same manner as protected health information meets the requirements of §§ 56-2-1004 and 56-2-1006(c) if the licensee is compliant with, and submits a written statement certifying its compliance with, the federal Health Insurance Portability and Accountability Act of 1996 and the federal Health Information Technology for Economic and Clinical Health.(3) A licensee subject to Title V of the federal Gramm-Leach-Bliley Act of 1999 (15 U.S.C. §§ 6801-6809 and 6821-6827) that meets the requirements of § 56-2-1006(c) if the licensee is compliant with, and submits a written statement certifying its compliance with, Title V of the federal Gramm-Leach-Bliley Act of 1999.(4) An employee, agent, representative, or designee of a licensee, who is also a licensee, is exempt from § 56-2-1004 if the activities of the employee, agent, representative, or designee are covered by the other licensee’s information security program.(b) If a licensee ceases to qualify for an exception under subsection (a), then the licensee has one hundred eighty (180) days from the time the licensee no longer qualifies for the exception to comply with this part.
