Faced with growing concerns about identify theft, the General Assembly has begun to take steps to protect consumer information in business and government data bases that could be used for fraudulent purposes. Effective July 1, 2005, new provisions enacted in Title 47 of the Tennessee Code Annotated by 2005 Public Chapter 473 require county governments to notify affected parties when there has been unauthorized access to certain personal consumer information in the county’s computers. The law applies broadly to any business doing business in the state of Tennessee and all agencies of the state of Tennessee and its political subdivisions. These entities must disclose, to any residents whose information has been compromised, any breach of a computer system which allows unauthorized disclosure of an individual’s name in combination with any of the following: social security number, driver license number, financial account numbers, or credit or debit card numbers. Personal information does not include publicly available information lawfully made available to the general public from federal, state, or local government records. Notice may be provided by written notice or electronic notice. Substitute notice is allowed if the cost of providing notice would exceed $250,000 or requires notice to more than 500,000 individuals. Substitute notice is defined to consist of e-mail notice if the information holder has e-mails for the affected parties, conspicuous posting of the notice on any internet page of the information holder, and notice to major statewide media. If circumstances require notification to more than 1,000 persons at one time, notice to all consumer reporting agencies and credit bureaus of the breach is also required. Any person injured by a violation of this act may bring a civil action against business entities to recover damages or enjoin the violator from further actions violating these requirements; however, state agencies and political subdivisions are exempt from the civil damages provisions of the act.