Browse data breach notification laws in the United States by states or territories. This database currently includes breach statutes for a business that collects personal information. This database is for informational purposes only and may not be up-to-date. Please review our Terms of Service. Report any errors or issues to: webmaster@amp.legal.
| Last Updated | Idaho breach law summary was last updated on 06/26/2017 |
| Statute | Idaho Stat. §§ 28-51-104 to -107 [View Source] [Download PDF] |
| Covered Entities | "Commercial Entity" includes corporation, business trust, estate, trust, partnership, limited partnership, limited liability partnership, limited liability company, association, organization, joint venture and any other legal entity, whether for profit or not-for-profit. |
| Covered Information | "Personal Information" includes First Name (or First Initial) and Last Name PLUS one of the following:
|
| Form of Information | Electronic |
| Breach Trigger | Illegal acquisition of unencrypted computerized data that materially compromises the security, confidentiality, or integrity of personal information for one (1) or more persons maintained by an agency, individual or a commercial entity. |
| Encryption Safe Harbor | Yes. Breach of the security of the system means the illegal acquisition of unencrypted computerized data that materially compromises the security, confidentiality, or integrity of personal information for one (1) or more persons maintained by an agency, individual or a commercial entity. |
| Risk of Harm Analysis | Yes. If the investigation determines that the misuse of information about an Idaho resident has occurred or is reasonably likely to occur, the agency, individual or the commercial entity shall give notice as soon as possible to the affected Idaho resident. |
| Consumer Notice | A city, county or state agency, individual or a commercial entity that conducts business in Idaho and that owns or licenses computerized data that includes personal information about a resident of Idaho shall, when it becomes aware of a breach of the security of the system, conduct in good faith a reasonable and prompt investigation to determine the likelihood that personal information has been or will be misused. If the investigation determines that the misuse of information about an Idaho resident has occurred or is reasonably likely to occur, the agency, individual or the commercial entity shall give notice as soon as possible to the affected Idaho resident. |
| Government Agency Notice | When an agency becomes aware of a breach of the security of the system, it shall, within twenty-four (24) hours of such discovery, notify the office of the Idaho attorney general. Nothing contained in this section relieves a state agency’s responsibility to report a security breach to the office of the chief information officer within the department of administration, pursuant to the Idaho technology authority policies. |
| Credit Agency Notice | No. |
| Penalties | Yes. Up to $25,000 per breach. Any agency, individual or commercial entity that intentionally fails to give notice in accordance with section 28-51-105, Idaho Code, shall be subject to a fine of not more than twenty-five thousand dollars ($25,000) per breach of the security of the system. |
| Private Cause of Action | No. By failing to give notice in accordance with that section, the primary regulator may bring a civil action to enforce compliance with that section and enjoin that agency, individual or commercial entity from further violations. |