TN HB1033

Businesses that maintain a written cybersecurity program conforming to recognized industry frameworks (such as NIST, ISO 27000, HIPAA, or Gramm-Leach-Bliley) gain an affirmative defense against tort lawsuits alleging failure to implement reasonable security controls after a data breach

Covered entities must designate a chief information officer or security officer to coordinate the cybersecurity program and train employees on security practices and regulations

The affirmative defense is unavailable if the business had actual notice of a security threat and failed to act within a reasonable time or failed to notify affected parties of a breach

Protected information categories include personal information (names, SSNs, account numbers, biometric data), personal health information subject to HIPAA, and restricted information that could enable identity theft if breached

The act takes effect July 1, 2025, and explicitly does not create any private right of action or class action claims