Security Breach Notification Law in the State of Idaho

January 24, 2022 | 4 minutes read
Security Breach Notification Law in the State of Idaho

Idaho Stat. §§ 28-51-104 to -107 is a data breach notification law that was passed in the U.S. state of Idaho in 2010. Idaho Stat. §§ 28-51-104 to -107 sets forth the guidelines that businesses, agencies, and organizations must follow in the event that they experience a data breach that leads to the unauthorized disclosure of personal information pertaining to citizens residing within the state of Iowa. Through Idaho Stat. §§ 28-51-104 to -107, residents of Iowa have the means to seek both justice and compensation in the event that their personal information is compromised due to a data breach, as the law establishes various punishments that businesses and organizations stand to face should they fail to comply with the provisions that were set forth.

How is a security breach defined?

Under Idaho Stat. §§ 28-51-104 to -107, a security breach is defined as “an illegal acquisition of unencrypted computerized data that materially compromises the security, confidentiality, or integrity of PI for one or more persons maintained by Entity.” Alternatively, the “good-faith acquisition of PI by an employee or agent of an Entity for the purposes of the Entity is not a breach of the security of the system, provided that the PI is not used or subject to further unauthorized disclosure.” Moreover, as it concerns the scope and application of Idaho Stat. §§ 28-51-104 to -107, the law applies to “any agency, individual or commercial entity (collectively, Entity) that conducts business in ID and that owns or licenses computerized data that includes PI about a resident of ID.”

What are the requirements of businesses and organizations?

Under Idaho Stat. §§ 28-51-104 to -107, businesses are organizations within Idaho are required to provide citizens of the state with data breach notifications in the event that said entities experience a security breach. These notices must be made expediently and without unreasonable delay, and must also provide consumers with information concerning the scope and severity of the breach, the number of individuals that have been affected, and any means that the business or organization that has experienced the breach has taken to “restore the reasonable integrity of the computerized data system.” What’s more, states agencies within Idaho are also required to inform the Idaho Attorney General within 24 hours of experiencing a security breach.

Conversely, the law also outlines the circumstances under which a business or organization within the state may provide consumers with substitute data breach notices. Under Idaho Stat. §§ 28-51-104 to -107, businesses and organizations within Idaho that experience a security breach may provide affected consumers with substitute notices in instances where the cost of providing standard data notices would exceed $25,000, the number of Idaho residents that were affected by the breach exceeds 50,000, or the entity that experienced the breach does not have sufficient contact information. Furthermore, these substitute notices must consist of the following:

What forms of personal information are covered?

Under Idaho Stat. §§ 28-51-104 to -107, the following categories of personal information are covered under the should, in conjunction with an Idaho “first name or first initial and last name in combination with any one or more of the following data elements that relate to the resident, when either the name or the data elements are not encrypted”:

In terms of the enforcement of the law, the provisions set forth in Idaho Stat. §§ 28-51-104 to -107 are enforced by the Idaho Attorney General. As such, businesses and organizations within the state who fail to comply with the data breach notification requirements that were established by the law are subject to a monetary penalty of up to $25,000 per breach. Idaho Stat. §§ 28-51-104 also contains additional penalties for government disclosures, as the law states “any governmental employee that intentionally discloses personal information not subject to disclosure otherwise allowed by law shall be subject to a fine of not more than $2,000, by imprisonment in the county jail for a period of not more than 1 year, or both.”

The enactment of Idaho Stat. §§ 28-51-104 to -107 provided citizens of Idaho with legal protections should their personal information be involved in a security or data breach. Despite the fact that the law was passed more than 10 years ago, the protections afforded residents of Idaho under Idaho Stat. §§ 28-51-104 to -107 are on par with similar legislation that has been passed more recently. As such, residents of the state of Idaho can rest assured that they will be protected from adverse consequences should their personal information be improperly disclosed as a result of a data breach.

Related Reads

Blurring Faces from Videos and The Truth About Body-Worn Camera Privacy
September 06, 2023 | 4 minutes read
Blurring Faces from Videos and The Truth About Body-Worn Camera Privacy

Body-worn cameras are an essential piece of equipment for law enforcement officers and the redaction of faces from BWC footage is necessary to protect the privacy of individuals.

Learn More »
Sensitive Information, Protected: Patient Privacy, HIPAA, And You
August 30, 2023 | 4 minutes read
Sensitive Information, Protected: Patient Privacy, HIPAA, And You

HIPAA compliance ensures patient privacy. Often making the consequences of non-compliance severe, so how do you avoid that?

Learn More »
Protecting Privacy in the Healthcare Field: PII, PHI & PCI
July 12, 2023 | 5 minutes read
Protecting Privacy in the Healthcare Field: PII, PHI & PCI

Healthcare professionals handle a wide range of sensitive data that is crucial for delivering quality care. But protecting that data is getting harder.

Learn More »
FISA Section 702, Is The US Government Monitoring You?
June 26, 2023 | 6 minutes read
FISA Section 702, Is The US Government Monitoring You?

Is there a give-and-take relationship that must be accepted when it comes to keeping the country safe? Should U.S. persons be okay with the incidental collection of their conversations in the name of national security under FISA Section 702? Even when it violates their constitutional rights? Well, that’s up to Congress to decide.

Learn More »
The Gap You Won’t Want to Close: Air-Gapped Systems
June 05, 2023 | 6 minutes read
The Gap You Won’t Want to Close: Air-Gapped Systems

An air-gapped system is a computer, or network that is physically isolated from any external connections and networks which includes the Internet. It operates in total isolation with neither wired nor wireless connections to other devices.

Learn More »
Arizona’s Proposed New Law on Public Records Requests
March 13, 2023 | 7 minutes read
Arizona’s Proposed New Law on Public Records Requests

A Bit of History The date February 14th might stand out to most of us, and if you haven’t figured out why, it’s because it is the anniversary of Arizona’s Statehood. Over 100 years ago, Arizona became the 48th state to be admitted into the United States. Since governance is as old as human history, […]

Learn More »