Idaho Disclosure of Breach of Security
Idaho Code § 28-51-104 - § 28-51-107
SUMMARY:
EFFECTIVE. July 1, 2006
WHO DOES THIS LAW APPLY TO. (1) Any person, entity or agency that conducts business in Idaho and owns or licenses computerized data that includes Idaho resident Personal Information; and (2) any person, entity or agency maintaining computerized data which contains Personal Information on state residents that it does not own.
WHAT IS A BREACH. Illegal acquisition of unencrypted computerized data that materially compromises the security, integrity or confidentiality of Personal Information maintained by a person, business, or agency. A good faith acquisition of Personal Information by an employee or agent of the person, business or agency for internal purposes only is not a breach, if it is not subject to further unauthorized disclosure.
WHAT IS PERSONAL INFORMATION. An individual’s first name or first initial and last name in combination with any one or more of the following data elements, when the data element is not encrypted:
-
Social Security Number.
-
Driver’s license number or Idaho identification card number.
-
Account number, credit card or debit card number in combination with any required security code, access code, or password that would permit access to the individual’s financial account.
Personal Information does not include publicly available information, information that is lawfully available from Federal, State or local government records, or widely distributed media.
WHO TO NOTIFY OF THE BREACH. Notification of the breach must be sent to the Idaho residents affected. No notification is required if the person, business, or agency, after a reasonable investigation, determines that a breach of the security of the system has not occurred or is not reasonably likely to occur.
EXCEPTION. This Section does not apply to the following:
-
A person, business or agency which maintains its own notice procedures as part of a Personal Information security policy and is otherwise consistent with the timing requirements of this section, is considered in compliance with this Section if the affected individuals are notified by the person, business or agency in accordance with its policies.
-
A person or business that is regulated by State or Federal law and maintains procedures for a security breach pursuant to the State or Federal laws or rules, is considered in compliance with this Section, if the affected individuals are notified in accordance with such policies.
WHEN TO NOTIFY OF THE BREACH. Notification must be sent as soon as possible after the person, business or agency first becomes aware of an incident of unauthorized acquisition. The disclosure shall be made in the most expedient manner possible and without unreasonable delay consistent with the needs of law enforcement, and any measures necessary to determine the nature and scope of the breach, to identify the individual(s) affected and to restore the reasonable integrity of the data system. Notification may be delayed if it will impede a criminal investigation and requested by law enforcement. In that instance, notification will be made as soon as possible following clearance by law enforcement.
When an agency becomes aware of a breach it shall also, within 24 hours, notify the office of the Idaho Attorney General.
HOW TO NOTIFY OF THE BREACH. Notice may be provided by one of the following methods:
-
Written.
-
Telephonic.
-
Electronic (if the notice is consistent with provisions regarding electronic records and signatures provided in 15 U.S.C. § 7001).
-
Substitute notice as provided below.
SUBSTITUTE NOTICE AVAILABLE. If the person, business, or agency can demonstrate that the cost of providing notice will exceed $25,000, the affected class of Idaho residents to be notified exceeds 50,000, or the person, business or agency has insufficient contact information, substitute notice may be used. Substitute notice shall consist of all of the following:
-
Email notice if the person, business, or agency has an Email address for the Idaho resident.
-
Conspicuous posting of the notice on the website of the person, business, or agency if one exists.
-
Notification to major statewide media.
NOTICE TO THIRD-PARTIES. If a person, business, or agency maintains computerized data that includes Personal Information which it does not own or license, then the person, business or agency shall give notice to and cooperate with the owner or licensee immediately upon discovery of the breach. Cooperation includes sharing information regarding the breach to the owner or licensee. The person, business or agency that owns or licenses the computerized data shall provide notice to the individual(s).
CONSEQUENCES FOR FAILING TO NOTIFY. Any government employee convicted of intentionally disclosing Personal Information not otherwise allowed by law, shall pay a fine of up to $2,000 and/or be sentenced to prison for up to one year.
In the event a person, business or agency fails to give notice as determined by its Primary Regulator, the Primary Regulator may bring a civil lawsuit to enforce compliance and prevent any further violations by Court order. Any person, business or agency that intentionally fails to give notice will be subject to a fine of up to $25,000 per security breach. Primary Regulator means:
-
Primary Federal Regulator: for any entities or individuals licensed or chartered by the United States.
-
Department of Finance: for any entities or individuals licensed by the Department of Finance.
-
Department of Insurance: for any entities or individuals licensed by the Department of Insurance.
-
Attorney General: for all other entities, individuals, or agencies.
PRIVATE RIGHT OF ACTION. None provided in the statute.
REQUIREMENTS OF REASONABLE SECURITY MEASURES.
DATA DISPOSAL PROVISIONS. None.
LEGISLATIVE UPDATES.
S.B. 1374 – Signed into law on 3/30/2006, Effective 7/1/2006.
H.B. 566 – Signed into law on 3/31/2010, Effective 7/1/2010.
For more information, see here: https://legislature.idaho.gov/statutesrules/idstat/Title28/T28CH51/
These materials were obtained directly from the State Legislative websites and are posted here for your review and reference only. No Claim to Original State Government Works. This may not be the most recent version. The State may have more current information. We make no guarantees or warranties about the accuracy or completeness of this information, or the information linked to. Please check the linked sources directly.