Idaho Code § 28-51-104 et seq
Type of Data Covered: Computerized or electronic data.
Is Breach Defined?
"Breach of the security of the system" means the illegal acquisition of unencrypted computerized data that materially compromises the security, confidentiality, or integrity of personal information for one (1) or more persons maintained by an agency, individual or a commercial entity.
When is notice required?
Notice is required for all Idaho residents affected by the breach and "must be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement and consistent with any measures necessary to determine the scope of the breach, to identify individuals affected, and to restore the reasonable integrity of the computerized data system." There are additional reporting requirements for agencies, who must notify the Attorney General's office within 24 hours of discovery. They are also required to report to their internal chief information officer, pursuant to Idaho technology authority policies. However, there are no specific provisions detailing the content of the notice to residents.
What are the penalties for non-compliance?
Violations have their own section of the law, § 28-51-107, which reads as follows:
"In any case in which an agency's, commercial entity's or individual's primary regulator has reason to believe that an agency, individual or commercial entity subject to that primary regulator's jurisdiction under section 28-51-104(6), Idaho Code, has violated section 28-51-105, Idaho Code, by failing to give notice in accordance with that section, the primary regulator may bring a civil action to enforce compliance with that section and enjoin that agency, individual or commercial entity from further violations. Any agency, individual or commercial entity that intentionally fails to give notice in accordance with section 28-51-105, Idaho Code, shall be subject to a fine of not more than twenty-five thousand dollars ($ 25,000) per breach of the security of the system."
Notably, government employees "who intentionally discloses personal information not subject to disclosure otherwise allowed by law is guilty of a misdemeanor and, upon conviction thereof, shall be punished by a fine of not more than two thousand dollars ($ 2,000), or by imprisonment in the county jail for a period of not more than one (1) year, or both." See § 28-51-105(1).