6.21.23 > Jerrod Montoya

There are now 10 comprehensive privacy laws enacted in the United States. The new laws in 2023 include those in Montana, Indiana, Iowa, Tennessee, and Texas. These laws join already existing laws including California, Utah, Colorado, Virginia, and Connecticut. These laws all share commonalities that resemble the EU’s Global Data Protection Regulation (GDPR). However, the recently passed law in Tennessee stands out from all other laws in one significant way.

What is Unique about Tennessee?

The Tennessee law enacted on May 24, 2023 codifies an affirmative defense for companies that implement and maintain alignment with the new developments of the National Institute of Standards and Technology (NIST) Privacy Framework. Specifically, Section 47-18-3213 (Privacy Program) provides that a company controlling or processing in scope information must establish a privacy program that “reasonably conforms” to the NIST Privacy Framework and its subsequent revisions. This novel addition to comprehensive state legislation includes a variety of factors to consider in establishing such a program, including size and complexity of the organization, nature and scope of activities, sensitivity of information being processed, cost and availability of tools, and compliance with comparable state or federal law. Also under this law, a failure to maintain a privacy program in accordance with Section 47-18-3213 is considered an “unfair and deceptive act.” An organization that becomes subject to a claim for violating the privacy law can mount an affirmative defense if it “creates, maintains, and complies with a written privacy program as described in Section 47-18-3213.”

What is the NIST Privacy Framework?

Released in January 2020, the voluntary NIST Privacy Framework is designed to help organizations effectively address privacy considerations in their operations. The relationship between the NIST Privacy Framework and the NIST Cybersecurity Framework is complementary. While the NIST Cybersecurity Framework primarily focuses on protecting systems and data from cybersecurity risks, the NIST Privacy Framework addresses privacy risks associated with the collection, storage, use, and sharing of personal information. The two frameworks can be used together to develop a comprehensive approach to managing both privacy and cybersecurity risks within an organization.

Why should you care?

An affirmative defense is a legal term of art meaning that a company may be found not liable even if the party bringing the lawsuit proves their case. For example, say your organization is sued for violation of the Tennessee privacy law. Your company may not be liable if it can prove that your company “reasonably conforms” to the NIST Privacy Framework as specified in Section 47-18-3213. This unique provision in the Tennessee law is sure to gain attention and will most likely begin positioning the implementation of the NIST Privacy Framework as a baseline best practice.

With the NIST Privacy Framework poised for more exposure, it is worth considering some limitations and risks associated with attempting to build a program strictly based on the NIST Privacy Framework.

One limitation is that the NIST Privacy Framework is high level and lacks specific guidance. In addition, the NIST Privacy Framework lacks key elements of recently enacted laws, which may lead to gaps without further analysis of the relationship between the Privacy Framework and applicable legislation. What it means to “reasonably conform” to the NIST Privacy Framework is not easily define and may require assistance of counsel or a consultant with a firm understanding in data protection. There’s significant overlap with the NIST Cybersecurity Framework not fully considered in the Privacy Framework.

3 Tips for Approaching the NIST Privacy Framework

If you find your company moving to “reasonably conform” to the NIST Privacy Framework, here are 3 tips to consider.

  • Look at both the Privacy Framework and the Cybersecurity Framework together when building out your implementation plan.

The Protect-P function has a sub-function for “Data Security”, which is not very helpful. This is one example area where the Protect function in the Cybersecurity Framework can supplement and provided insights into what should be included for data security.

  • Make sure you understand applicable legal requirements and map to the relevant Privacy and Cybersecurity Framework functions.

Back in January 2020, the GDPR was still learning to walk and the California Consumer Privacy Act (CCPA) wouldn’t be passed for another 8 months. Since that time, nine more laws have emerged that transition the US from a voluntary framework model into a legally mandated one. Those laws and applicable requirements must be incorporated into the voluntary framework.

  • Tailor the Frameworks to your business.

The Frameworks are voluntary and designed to be tailored to your business process. NIST recognizes this and provides a caveat in the Privacy Framework, but readers have a tendency to skip to the table and adopt the listed functions and controls at face value. Read both frameworks and customize accordingly.


Jerrod Montoya, JD, CIPP/US, ISO 27001 Lead Implementer, leads the data protection team at Truvantis, Inc., a cybersecurity and data protection company. Jerrod helps companies navigate the complex world of data protection and implement reasonable security practices.