Idaho

Click here to review text of state statute

Click here to download a print-version of the Mintz Matrix

Information Covered / Important Definitions

Information covered:

Personal information of Idaho residents.

Important definitions:

“Security Breach” means an illegal acquisition of unencrypted computerized data that materially compromises the security, confidentiality, or integrity of personal information for one or more persons.

“Primary Regulator” of a commercial entity or individual licensed or chartered by the United States is that commercial entity's or individual's primary federal regulator. The primary regulator of a commercial entity or individual licensed by the department of finance is the department of finance. The primary regulator of a commercial entity or individual licensed by the department of insurance is the department of insurance. For all other agencies and all other commercial entities or individuals, the primary regulator is the attorney general.

**Covered Entities* / Third Party Recipients**

Subject to statute:

An individual, state, or a commercial entity that conducts business in Idaho and owns or licenses computerized data that includes personal information about a resident of Idaho.

Third party recipients:

Any covered entity that maintains computerized data that includes personal information that the covered entity does not own or license must give notice to and cooperate with the owner or licensee of the information of any security breach concerning the personal information of an Idaho resident.

Notice Procedures & Timing / Other Obligations

Written, electronic, or telephonic notice must be provided to victims of a security breach within the most expedient time possible and without unreasonable delay following a prompt investigation to determine if misuse of information about an Idaho resident has occurred or is reasonably likely to occur, unless a law enforcement agency determines that notice will impede a law enforcement investigation (in which case notification is delayed until authorized by law enforcement).

Substitute notice is available by means prescribed in the statute if costs to exceed $25,000, affected class exceeds 50,000 persons, or covered entity does not have sufficient contact information.
Notice only required if security breach materially compromises the security, confidentiality, or integrity of personal information.
Notice not required if, after a reasonable and prompt investigation, the covered entity determines that there is no reasonable likelihood that personal information has been or will be misused.

Encryption Safe Harbor / Other Exemptions

Encryption Safe Harbor:

Statute not applicable if the personal data that was lost, stolen, or accessed by an unauthorized individual is encrypted.

Other exemptions:

Exemption for good faith acquisition by an employee or agent of the covered entity so long as personal information not used or subject to further unauthorized disclosure.

A covered entity is deemed in compliance with the Idaho statute if it maintains and complies with its own notification procedures as part of an information security policy and whose procedures are consistent with the timing requirements of the Idaho statute.

Entities regulated by state or federal law that maintain and comply with procedures for addressing security breaches pursuant to those laws are exempt.

Notification to Regulator / Waiver

A determination of no likelihood of harm:

Does not require notification to attorney general if covered entity is an individual or commercial entity.

Penalties

Fine of not more than $25,000 per security breach for any covered entity that intentionally fails to give notice.

Any governmental employee that intentionally discloses personal information not subject to disclosure otherwise allowed by law is guilty of a misdemeanor and, upon conviction thereof, could be punished by a fine of not more than $2,000, or by imprisonment in the county jail for a period of not more than one year, or both.

Private Cause of Action / Enforcement

Private Cause of Action: No.

Enforcement action brought by a covered entity’s primary regulator.

^*Note: Please refer to individual state statutes for a complete list of covered entities as the list of legal and commercial entities described in this chart as “subject to statute” in most cases is not exhaustive. Please also note that rules applicable to state agencies, government bodies and other public institutions are not discussed in this chart.