Security Breach Notification Law in the State of Idaho
Idaho Stat. §§ 28-51-104 to -107 is a data breach notification law that was passed in the U.S. state of Idaho in 2010. Idaho Stat. §§ 28-51-104 to -107 sets forth the guidelines that businesses, agencies, and organizations must follow in the event that they experience a data breach that leads to the unauthorized disclosure of personal information pertaining to citizens residing within the state of Iowa. Through Idaho Stat. §§ 28-51-104 to -107, residents of Iowa have the means to seek both justice and compensation in the event that their personal information is compromised due to a data breach, as the law establishes various punishments that businesses and organizations stand to face should they fail to comply with the provisions that were set forth.
How is a security breach defined?
Under Idaho Stat. §§ 28-51-104 to -107, a security breach is defined as “an illegal acquisition of unencrypted computerized data that materially compromises the security, confidentiality, or integrity of PI for one or more persons maintained by Entity.” Alternatively, the “good-faith acquisition of PI by an employee or agent of an Entity for the purposes of the Entity is not a breach of the security of the system, provided that the PI is not used or subject to further unauthorized disclosure.” Moreover, as it concerns the scope and application of Idaho Stat. §§ 28-51-104 to -107, the law applies to “any agency, individual or commercial entity (collectively, Entity) that conducts business in ID and that owns or licenses computerized data that includes PI about a resident of ID.”
What are the requirements of businesses and organizations?
Under Idaho Stat. §§ 28-51-104 to -107, businesses are organizations within Idaho are required to provide citizens of the state with data breach notifications in the event that said entities experience a security breach. These notices must be made expediently and without unreasonable delay, and must also provide consumers with information concerning the scope and severity of the breach, the number of individuals that have been affected, and any means that the business or organization that has experienced the breach has taken to “restore the reasonable integrity of the computerized data system.” What’s more, states agencies within Idaho are also required to inform the Idaho Attorney General within 24 hours of experiencing a security breach.
Conversely, the law also outlines the circumstances under which a business or organization within the state may provide consumers with substitute data breach notices. Under Idaho Stat. §§ 28-51-104 to -107, businesses and organizations within Idaho that experience a security breach may provide affected consumers with substitute notices in instances where the cost of providing standard data notices would exceed $25,000, the number of Idaho residents that were affected by the breach exceeds 50,000, or the entity that experienced the breach does not have sufficient contact information. Furthermore, these substitute notices must consist of the following:
- Email notice if the entity that has an email address for the residents that have been affected by the breach.
- The conspicuous posting of the substitute notice on the business or organization’s website, if the business or organization maintains a website.
- Notice to all major media outlets within the state of Idaho.
What forms of personal information are covered?
Under Idaho Stat. §§ 28-51-104 to -107, the following categories of personal information are covered under the should, in conjunction with an Idaho “first name or first initial and last name in combination with any one or more of the following data elements that relate to the resident, when either the name or the data elements are not encrypted”:
- Social security numbers.
- Drivers license number and state identification card numbers.
- Account numbers and credit card numbers, in combination with any required security codes, access codes, or passwords that would permit access to an individual’s financial account.
In terms of the enforcement of the law, the provisions set forth in Idaho Stat. §§ 28-51-104 to -107 are enforced by the Idaho Attorney General. As such, businesses and organizations within the state who fail to comply with the data breach notification requirements that were established by the law are subject to a monetary penalty of up to $25,000 per breach. Idaho Stat. §§ 28-51-104 also contains additional penalties for government disclosures, as the law states “any governmental employee that intentionally discloses personal information not subject to disclosure otherwise allowed by law shall be subject to a fine of not more than $2,000, by imprisonment in the county jail for a period of not more than 1 year, or both.”
The enactment of Idaho Stat. §§ 28-51-104 to -107 provided citizens of Idaho with legal protections should their personal information be involved in a security or data breach. Despite the fact that the law was passed more than 10 years ago, the protections afforded residents of Idaho under Idaho Stat. §§ 28-51-104 to -107 are on par with similar legislation that has been passed more recently. As such, residents of the state of Idaho can rest assured that they will be protected from adverse consequences should their personal information be improperly disclosed as a result of a data breach.