Idaho

Data Breach Notification Statute

Highlights

Covered Entities: Persons or commercial entities that conduct business in Idaho, and cities, counties or state agencies that own or license computerized data that includes personal information.

Consumer Notification: Notification must be provided to any Idaho resident whose “unencrypted computerized data” was acquired illegally in a manner that that materially compromises the security, confidentiality, or integrity of personal information.

Regulatory Notification: Public agencies must notify the Idaho Attorney General within 24 hours of discovery of a breach.

Notification Timeline: Notification must be provided in the “most expedient time possible and without unreasonable delay.”

Data Format: Electronic.

Citations: Idaho Code § 28-51-104 et seq.

More Details

Definitions:

  • Breach: The “illegal acquisition of unencrypted computerized data that materially compromises the security, confidentiality, or integrity of personal information….”
  • Personal Information (PI):
    • An Idaho resident’s first name/first initial and last name in combination with one or more of the following, when either the name or data elements are not encrypted:
      • Social security number;
      • Driver’s license number or Idaho identification card number; or
      • Account number, or credit or debit card number, in combination with any required security code, access code, or password that would permit access to a resident’s financial account.
  • Medical Information: N/A
  • Health Insurance Information: N/A 

Safe Harbors:

  • Encryption: Notification is not required where potentially impacted PI was encrypted.
  • Good Faith: Notification is not required where the potentially impacted PI was acquired in good faith by an employee or agent of an agency, individual or a commercial entity for the purposes of the agency, provided that the PI is not used or subject to further unauthorized disclosure.
  • Risk of Harm: Notification is not required where a reasonable and prompt investigation determines that misuse of a resident’s PI has not and is not likely to occur.
  • Law Enforcement Delay: Notification may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation.

Direct Notice:

  • Timing: Notification must be provided in the most expedient time possible and without unreasonable delay, consistent with measures necessary to determine the scope of the breach, identify impacted individuals, and restore the integrity of the system.
  • Format: Notice may be provided written to the most recent known address, telephonically, or electronically so long as the notice is consistent with the provisions regarding electronic records and signatures set forth in 15 U.S.C. § 7001 (E-SIGN Act).
  • Content: N/A
  • Method: Notification letters may be provided in writing, telephonic, or provided electronically if consistent with the provisions regarding electronic records and signatures in 15 U.S. Code § 7001 (E-SIGN Act).

Substitute Notice:

Substitute notice may be provided if the entity (1) demonstrates that the cost of providing notice will exceed $25,000, (2) that the number of Idaho residents to be notified exceeds 50,000, or (3) does not have sufficient contact information to provide notice. Substitute notice must include (1) email notice, if an email address is available, (2) a conspicuous posting onto the entity’s website, if one is maintained, and (3) notice to major statewide media. 

Remediation Services:

N/A 

Regulatory Notice:

Notice to the Idaho Attorney General must be provided within 24 hours from when a public agency becomes aware of a breach of the security system. 

Credit Reporting Agencies Notice:

N/A

Third-Party Notice:

An entity that maintains computerized data including PI that the entity does not own or license shall give notice to and cooperate with the owner or licensee of the information of any breach of the security of the system immediately following discovery of a breach if misuse of personal information about an Idaho resident occurred or is reasonably likely to occur. 

HIPAA:

An individual or a commercial entity that is regulated by state or federal law and that maintains procedures for a breach of the security of the system pursuant to the laws, rules, regulations, or guidelines established by its primary or functional state or federal regulator is deemed to be in compliance with section 28-51-105, Idaho Code, if the individual or the commercial entity complies with the maintained procedures when a breach of the security of the system occurs.

Private Action:

N/A

Associated Regulations:

  • Idaho Code § 28-51-104 et seq
Jump to Page

Constangy, Brooks, Smith & Prophete, LLP Cookie Preference Center

Your Privacy

When using this website, Constangy and certain third parties may collect and use cookies or similar technologies to enhance your experience. These technologies may collect information about your device, activity on our website, and preferences. Some cookies are essential to site functionality, while others help us analyze performance and usage trends to improve our content and features.

Please note that if you return to this website from a different browser or device, you may need to reselect your cookie preferences.

For more information about our privacy practices, including your rights and choices, please see our Privacy Policy. 

Strictly Necessary Cookies

Always Active

Strictly Necessary Cookies are essential for the website to function, and cannot be turned off. We use this type of cookie for purposes such as security, network management, and accessibility. You can set your browser to block or alert you about these cookies, but if you do so, some parts of the site will not work. 

Functionality Cookies

Always Active

Functionality Cookies are used to enhance the functionality and personalization of this website. These cookies support features like embedded content (such as video or audio), keyword search highlighting, and remembering your preferences across pages—for example, your cookie choices or form inputs during submission.

Some of these cookies are managed by third-party service providers whose features are embedded on our site. These cookies do not store personal information and are necessary for certain site features to work properly.

Performance Cookies

Performance cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek