Tennessee Sets the Highest Bar for
Data Breach Class Actions

PC 991 shields businesses from class action lawsuits after a cybersecurity event — unless the breach was caused by gross negligence or willful misconduct.

Effective May 21, 2024 · T.C.A. § 29-34-215

The Law

What PC 991 Does for You

If your business suffers a data breach and faces a class action in Tennessee, PC 991 requires plaintiffs to prove far more than ordinary negligence. They must demonstrate gross negligence or willful and wanton misconduct — a dramatically higher bar. The protection covers:

Ordinary Negligence Blocked

Plaintiffs can no longer succeed on a simple “failure of reasonable care” theory.

All Claim Types

Covers tort, contract, and statutory class actions — any theory arising from a cyber event.

No Program Required

Protection applies automatically to all private entities. No framework compliance needed.

Smart Investment

Protection Is Automatic. Proof Is Not.

Tennessee doesn't require a cybersecurity program to trigger the safe harbor. But if a plaintiff alleges gross negligence, demonstrating a documented security program is the strongest evidence that you acted responsibly. Three reasons to invest:

1

Defend Against the Higher Standard

A documented cybersecurity program is your best evidence that the breach wasn't caused by gross negligence or willful misconduct.

2

Qualify in Other States Too

Ohio, Utah, Connecticut, and Iowa all require framework-aligned programs for their safe harbors. One program covers you everywhere.

3

TIPA Adds a Separate Defense

Tennessee's Information Protection Act (effective 2025) provides an additional affirmative defense for businesses that conform to the NIST Privacy Framework.

Common Concern

It Only Covers Class Actions

Class Actions = Your Biggest Financial Threat

Class actions represent the most significant financial exposure in data breach litigation — often involving millions of affected consumers and multi-million-dollar settlements. By requiring proof of gross negligence, PC 991 eliminates the most common and costly category of breach lawsuits.

What the law doesn't cover: individual lawsuits remain subject to the ordinary negligence standard. The law also does not apply retroactively to cybersecurity events that occurred before May 21, 2024.

How SignumCyber Helps

Turn Compliance into Proof

PC 991 Requires How We Help

You had a documented security program

73-domain assessment + policy creation wizard to build your program

Your program followed industry standards

NIST CSF, ISO 27001, SOC 2, HIPAA & PCI DSS

Your controls were proportionate to your risk

FAIR risk quantification in dollars with ongoing reassessment

You monitored and updated your defenses

Periodic reassessment, implementation tracking & reporting

You responded appropriately to incidents

Prioritized recommendations, incident response policy & evidence

Bigger Picture

A Growing National Movement

Seven states and counting. The program you build for Tennessee strengthens your defense everywhere.

Ohio 2018
Utah 2021
Connecticut 2021
Iowa 2023
Tennessee 2024
Oregon 2024
Texas 2025

Ready to Build Your Defense?

See how SignumCyber helps you qualify for safe harbor protection — and turn security into a business advantage.

Request a Demo →

30 minutes. No pressure. Just clarity.

This page is general information about Tennessee's cybersecurity safe harbor law (PC 991), not legal advice. Consult a qualified attorney for guidance specific to your organization.