Tennessee bill would make it harder to sue companies after data exposure

According to the U.S. Department of Health and Human Services Office for Civil Rights, 20 Tennessee health care companies have reported data breaches in recent years, resulting in the exposure of personal and financial data of state residents. Several of these companies faced class action lawsuits afterward from patients whose data was leaked or breached.

Republican state Sen. Shane Reeves recently introduced a bill that would make it harder for victims of data breaches to sue these companies, arguing that lawsuits against companies that experience cyberattacks add insult to injury.

“We can’t stop that attack,” Reeves said during a hearing on Tuesday. “But what we can do is try to put things in place so that they’re not being caught up in civil action lawsuits when they’re just trying to get back on their feet.”

Senate bill 2018 “declares a private entity to be not civilly liable in a class action resulting from a cybersecurity event unless the cybersecurity event was caused by willful, wanton, or gross negligence on the part of the private entity.”

Current Tennessee law requires companies to take “reasonable care” to prevent their data from being compromised. However, under the proposed bill, victims would have to prove the company’s cybersecurity practices were insufficient to prevent the attack, a policy that would be one of the most lenient in the country.

The measure, if passed, would also be out of step with federal recommendations from the Cybersecurity and Infrastructure Security Agency to strengthen cybersecurity protections for critical infrastructure sectors, like health care. The Tennessee bill’s advancement follows a February cyberattack against Change Healthcare that disrupted billing, eligibility checks, prior authorization requests and prescription fulfillment for millions of patients.