Idaho Disclosure of Breach of Security
Idaho Code § 28-51-104 - § 28-51-107
CITATION:
TITLE 28 COMMERCIAL TRANSACTIONS
CHAPTER 51 IDENTITY THEFT
28-51-104. DEFINITIONS. For purposes of sections 28-51-104 through 28-51-107, Idaho Code:
(1) "Agency" means any "public agency" as defined in section 74-101, Idaho Code.
(2) "Breach of the security of the system" means the illegal acquisition of unencrypted computerized data that materially compromises the security, confidentiality, or integrity of personal information for one (1) or more persons maintained by an agency, individual or a commercial entity. Good faith acquisition of personal information by an employee or agent of an agency, individual or a commercial entity for the purposes of the agency, individual or the commercial entity is not a breach of the security of the system, provided that the personal information is not used or subject to further unauthorized disclosure.
(3) "Commercial entity" includes corporation, business trust, estate, trust, partnership, limited partnership, limited liability partnership, limited liability company, association, organization, joint venture and any other legal entity, whether for profit or not-for-profit.
(4) "Notice" means:
(a) Written notice to the most recent address the agency, individual or commercial entity has in its records;
(b) Telephonic notice;
(c) Electronic notice, if the notice provided is consistent with the provisions regarding electronic records and signatures set forth in 15 U.S.C. section 7001; or
(d) Substitute notice, if the agency, individual or the commercial entity required to provide notice demonstrates that the cost of providing notice will exceed twenty-five thousand dollars ($25,000), or that the number of Idaho residents to be notified exceeds fifty thousand (50,000), or that the agency, individual or the commercial entity does not have sufficient contact information to provide notice. Substitute notice consists of all of the following:
(i) E-mail notice if the agency, individual or the commercial entity has e-mail addresses for the affected Idaho residents; and
(ii) Conspicuous posting of the notice on the website page of the agency, individual or the commercial entity if the agency, individual or the commercial entity maintains one; and
(iii) Notice to major statewide media.
(5) "Personal information" means an Idaho resident’s first name or first initial and last name in combination with any one (1) or more of the following data elements that relate to the resident, when either the name or the data elements are not encrypted:
(a) Social security number;
(b) Driver’s license number or Idaho identification card number; or
(c) Account number, or credit or debit card number, in combination with any required security code, access code, or password that would permit access to a resident’s financial account.
The term "personal information" does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records or widely distributed media.
(6) "Primary regulator" of a commercial entity or individual licensed or chartered by the United States is that commercial entity’s or individual’s primary federal regulator, the primary regulator of a commercial entity or individual licensed by the department of finance is the department of finance, the primary regulator of a commercial entity or individual licensed by the department of insurance is the department of insurance and, for all agencies and all other commercial entities or individuals, the primary regulator is the attorney general.
History:
[28-51-104, added 2006, ch. 258, sec. 1, p. 796; am. 2015, ch. 141, sec. 51, p. 418.]
28-51-105. DISCLOSURE OF BREACH OF SECURITY OF COMPUTERIZED PERSONAL INFORMATION BY AN AGENCY, INDIVIDUAL OR A COMMERCIAL ENTITY. (1) A city, county or state agency, individual or a commercial entity that conducts business in Idaho and that owns or licenses computerized data that includes personal information about a resident of Idaho shall, when it becomes aware of a breach of the security of the system, conduct in good faith a reasonable and prompt investigation to determine the likelihood that personal information has been or will be misused. If the investigation determines that the misuse of information about an Idaho resident has occurred or is reasonably likely to occur, the agency, individual or the commercial entity shall give notice as soon as possible to the affected Idaho resident. Notice must be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement and consistent with any measures necessary to determine the scope of the breach, to identify the individuals affected, and to restore the reasonable integrity of the computerized data system.
When an agency becomes aware of a breach of the security of the system, it shall, within twenty-four (24) hours of such discovery, notify the office of the Idaho attorney general. Nothing contained in this section relieves a state agency’s responsibility to report a security breach to the office of the chief information officer within the department of administration, pursuant to the Idaho technology authority policies.
Any governmental employee who intentionally discloses personal information not subject to disclosure otherwise allowed by law is guilty of a misdemeanor and, upon conviction thereof, shall be punished by a fine of not more than two thousand dollars ($2,000), or by imprisonment in the county jail for a period of not more than one (1) year, or both.
(2) An agency, individual or a commercial entity that maintains computerized data that includes personal information that the agency, individual or the commercial entity does not own or license shall give notice to and cooperate with the owner or licensee of the information of any breach of the security of the system immediately following discovery of a breach if misuse of personal information about an Idaho resident occurred or is reasonably likely to occur. Cooperation includes sharing with the owner or licensee information relevant to the breach.
(3) Notice required by this section may be delayed if a law enforcement agency advises the agency, individual or commercial entity that the notice will impede a criminal investigation. Notice required by this section must be made in good faith, without unreasonable delay and as soon as possible after the law enforcement agency advises the agency, individual or commercial entity that notification will no longer impede the investigation.
History:
[28-51-105, added 2006, ch. 258, sec. 1, p. 797; am. 2014, ch. 97, sec. 13, p. 275.]
28-51-106. PROCEDURES DEEMED IN COMPLIANCE WITH SECURITY BREACH REQUIREMENTS. (1) An agency, individual or a commercial entity that maintains its own notice procedures as part of an information security policy for the treatment of personal information, and whose procedures are otherwise consistent with the timing requirements of section 28-51-105, Idaho Code, is deemed to be in compliance with the notice requirements of section 28-51-105, Idaho Code, if the agency, individual or the commercial entity notifies affected Idaho residents in accordance with its policies in the event of a breach of security of the system.
(2) An individual or a commercial entity that is regulated by state or federal law and that maintains procedures for a breach of the security of the system pursuant to the laws, rules, regulations, guidances, or guidelines established by its primary or functional state or federal regulator is deemed to be in compliance with section 28-51-105, Idaho Code, if the individual or the commercial entity complies with the maintained procedures when a breach of the security of the system occurs.
History:
[28-51-106, added 2006, ch. 258, sec. 1, p. 798.]
28-51-107. VIOLATIONS. In any case in which an agency’s, commercial entity’s or individual’s primary regulator has reason to believe that an agency, individual or commercial entity subject to that primary regulator’s jurisdiction under section 28-51-104(6), Idaho Code, has violated section 28-51-105, Idaho Code, by failing to give notice in accordance with that section, the primary regulator may bring a civil action to enforce compliance with that section and enjoin that agency, individual or commercial entity from further violations. Any agency, individual or commercial entity that intentionally fails to give notice in accordance with section 28-51-105, Idaho Code, shall be subject to a fine of not more than twenty-five thousand dollars ($25,000) per breach of the security of the system.
History:
[28-51-107, added 2006, ch. 258, sec. 1, p. 798.]
For more information, see here: https://legislature.idaho.gov/statutesrules/idstat/Title28/T28CH51/
These materials were obtained directly from the State Legislative websites and are posted here for your review and reference only. No Claim to Original State Government Works. This may not be the most recent version. The State may have more current information. We make no guarantees or warranties about the accuracy or completeness of this information, or the information linked to. Please check the linked sources directly.