The Constangy Cyber Team understands the paramount importance of staying informed about the intricacies of data breach notification regulations. With our Cybersecurity & Data Privacy Desktop Reference and these interactive maps, we provide guidance to navigate these complexities. Our interactive maps offer you online access to our succinct summaries of the essential aspects of various consumer and regulatory notification obligations. Please contact us should you have any questions. We look forward to working with you should you have to navigate the consumer notification and/or regulatory reporting process.
Data Breach Notification Statute
Covered Entities: Persons or commercial entities that conduct business in Idaho, and cities, counties or state agencies that own or license computerized data that includes personal information.
Consumer Notification: Notification must be provided to any Idaho resident whose “unencrypted computerized data” was acquired illegally in a manner that that materially compromises the security, confidentiality, or integrity of personal information.
Regulatory Notification: Public agencies must notify the Idaho Attorney General within 24 hours of discovery of a breach.
Notification Timeline: Notification must be provided in the “most expedient time possible and without unreasonable delay.”
Data Format: Electronic.
Citations: Idaho Code § 28-51-104 et seq.
- Breach: The “illegal acquisition of unencrypted computerized data that materially compromises the security, confidentiality, or integrity of personal information….”
- Personal Information (PI): An Idaho resident’s first name/first initial and last name in combination with one or more of the following, when either the name or data elements are not encrypted:
- Social security number;
- Driver’s license number or Idaho identification card number; or
- Account number, or credit or debit card number, in combination with any required security code, access code, or password that would permit access to a resident’s financial account.”
- Medical Information: N/A
- Health Insurance Information: N/A
- Encryption: Notification is not required where potentially impacted PI was encrypted.
- Good Faith: Notification is not required where the potentially impacted PI was acquired in good faith by an employee or agent of an agency, individual or a commercial entity for the purposes of the agency, provided that the PI is not used or subject to further unauthorized disclosure.
- Risk of Harm: Notification is not required where a reasonable and prompt investigation determines that misuse of a resident’s PI has not and is not likely to occur.
- Law Enforcement Delay: Notification may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation.
- Timing: Notification must be provided in the most expedient time possible and without unreasonable delay, consistent with measures necessary to determine the scope of the breach, identify impacted individuals, and restore the integrity of the system.
- Format: Notice may be provided written to the most recent known address, telephonically, or electronically so long as the notice is consistent with the provisions regarding electronic records and signatures set forth in 15 U.S.C. § 7001 (E-SIGN Act).
- Content: N/A
- Method: Notification letters may be provided in writing, telephonic, or provided electronically if consistent with the provisions regarding electronic records and signatures in 15 U.S. Code § 7001 (E-SIGN Act).
Substitute notice may be provided if the entity (1) demonstrates that the cost of providing notice will exceed $25,000, (2) that the number of Idaho residents to be notified exceeds 50,000, or (3) does not have sufficient contact information to provide notice. Substitute notice must include (1) email notice, if an email address is available, (2) a conspicuous posting onto the entity’s website, if one is maintained, and (3) notice to major statewide media.
Notice to the Idaho Attorney General must be provided within 24 hours from when a public agency becomes aware of a breach of the security system.
Credit Reporting Agencies Notice:
An entity that maintains computerized data including PI that the entity does not own or license shall give notice to and cooperate with the owner or licensee of the information of any breach of the security of the system immediately following discovery of a breach if misuse of personal information about an Idaho resident occurred or is reasonably likely to occur.
An individual or a commercial entity that is regulated by state or federal law and that maintains procedures for a breach of the security of the system pursuant to the laws, rules, regulations, or guidelines established by its primary or functional state or federal regulator is deemed to be in compliance with section 28-51-105, Idaho Code, if the individual or the commercial entity complies with the maintained procedures when a breach of the security of the system occurs.
- Idaho Code § 28-51-104 et seq