Linn Foster Freedman of Robinson + Cole notes that Tennessee Governor Bill Less has signed legislation into law that will shield private entities from class action lawsuits stemming from cybersecurity incidents unless the event was caused by willful, wanton, or gross negligence. The bill amends TCA Title 29 and Title 47. Freedman comments:
This bill will be a blow to class action plaintiffs’ law firms that have routinely filed suit against companies that are victims of criminal cybersecurity attacks, alleging that the companies were negligent in protecting consumer data. The bill provides a high bar for plaintiffs to overcome to pursue class action litigation in Tennessee.
It will be very interesting to see how other states follow. We will be following this closely.
The history of the bill can be found on the state’s website. Nowhere does there seem to be any definition or clarification of what would be considered “willful, wanton, or gross negligence.” If an entity fails to patch promptly when a patch is released, is that wanton or gross negligence? If an entity fails to deploy multifactor authentication, is that “willful negligence?” It will be interesting to see what happens next with litigation in Tennessee.