LEGISLATURE OF THE STATE OF IDAHO
Sixty-eighth Legislature First Regular Session -2025
IN THE SENATE
SENATE BILL NO. 1066
BY COMMERCE AND HUMAN RESOURCES COMMITTEE
AN ACT1
RELATING TO IDENTITY THEFT; AMENDING SECTION 28 -51 -104, IDAHO CODE, TO RE -2
VISE ADEFINITION AND TO MAKE ATECHNICAL CORRECTION; AMENDING SECTION3
28 -51 -105, IDAHO CODE, TO REVISE PROVISIONS REGARDING DISCLOSURE OF4
BREACH OF SECURITY OF COMPUTERIZED PERSONALLY IDENTIFIABLE INFORMA -5
TION BY AN AGENCY, INDIVIDUAL, OR ACOMMERCIAL ENTITY; AMENDING SECTION6
28 -51 -106, IDAHO CODE, TO PROVIDE CORRECT TERMINOLOGY AND TO MAKE7
TECHNICAL CORRECTIONS; AND DECLARING AN EMERGENCY AND PROVIDING AN EF -8
FECTIVE DATE.9
Be It Enacted by the Legislature of the State of Idaho:10
SECTION 1. That Section 28 -51 -104, Idaho Code, be, and the same is11
hereby amended to read as follows:12
28 -51 -104. DEFINITIONS. For purposes of sections 28 -51 -104 through13
28 -51 -107, Idaho Code:14
(1) "Agency" means any "public agency" as defined in section 74 -101,15
Idaho Code.16
(2) "Breach of the security of the system" means the illegal acquisi -17
tion of unencrypted computerized data that materially compromises the se -18
curity, confidentiality, or integrity of personal information for one (1)19
or more persons maintained by an agency, individual or acommercial entity.20
Good faith acquisition of personal information by an employee or agent of an21
agency, individual or acommercial entity for the purposes of the agency, in -22
dividual or the commercial entity is not abreach of the security of the sys -23
tem, provided that the personal information is not used or subject to further24
unauthorized disclosure.25
(3) "Commercial entity" includes corporation, business trust, estate,26
trust, partnership, limited partnership, limited liability partnership,27
limited liability company, association, organization, joint venture and any28
other legal entity, whether for profit or not -for -profit not for profit .29
(4) "Notice" means:30
(a) Written notice to the most recent address the agency, individual or31
commercial entity has in its records;32
(b) Telephonic notice;33
(c) Electronic notice, if the notice provided is consistent with the34
provisions regarding electronic records and signatures set forth in 1535
U.S.C. section 7001; or36
(d) Substitute notice, if the agency, individual or the commercial37
entity required to provide notice demonstrates that the cost of pro -38
viding notice will exceed twenty -five thousand dollars ($25,000), or39
that the number of Idaho residents to be notified exceeds fifty thousand40
(50,000), or that the agency, individual or the commercial entity does41 2
not have sufficient contact information to provide notice. Substitute1
notice consists of all of the following:2
(i) E-mail notice if the agency, individual or the commercial en -3
tity has e-mail addresses for the affected Idaho residents; and4
(ii) Conspicuous posting of the notice on the website page of the5
agency, individual or the commercial entity if the agency, indi -6
vidual or the commercial entity maintains one; and7
(iii) Notice to major statewide media.8
(5) "Personal information" "Personally identifiable information" or9
"(PII)" means an Idaho resident's first name or first initial and last name10
in combination with any one (1) or more of the following data elements that11
relate to the resident, when either the name or the data elements are not en -12
crypted:13
(a) Social security number;14
(b) Driver's license number ,passport number, or Idaho other govern -15
ment -issued identification card number; or16
(c) Account number, or credit or debit card number, in combination with17
any required security code, access code, or password that would permit18
access to aresident's financial account ;19
(d) Username or email address, in combination with apassword or secu -20
rity question that would permit access to an online account;21
(e) Individual medical history, treatment, diagnosis, or DNA profile;22
(f) Health insurance policy number or other unique identifier used by a23
health insurer;24
(g) Unique biometric data generated for authentication purposes; or25
(h) Individual taxpayer identification number .26
The term "personal personally identifiable information" does not in -27
clude publicly available information that is lawfully made available to the28
general public from federal, state, or local government records or widely29
distributed media.30
(6) "Primary regulator" of acommercial entity or individual licensed31
or chartered by the United States is that commercial entity's or individ -32
ual's primary federal regulator, the primary regulator of acommercial en -33
tity or individual licensed by the department of finance is the department of34
finance, the primary regulator of acommercial entity or individual licensed35
by the department of insurance is the department of insurance and, for all36
agencies and all other commercial entities or individuals, the primary regu -37
lator is the attorney general.38
SECTION 2. That Section 28 -51 -105, Idaho Code, be, and the same is39
hereby amended to read as follows:40
28 -51 -105. DISCLOSURE OF BREACH OF SECURITY OF COMPUTERIZED PERSONAL41
PERSONALLY IDENTIFIABLE INFORMATION BY AN AGENCY, INDIVIDUAL ,OR ACOMMER -42
CIAL ENTITY. (1) Acity, county ,or state agency, an individual ,or acom -43
mercial entity that conducts business in Idaho and that owns or licenses com -44
puterized data that includes personal information PII about aresident of45
Idaho shall, when it becomes aware of abreach of the security of the system,46
conduct in good faith areasonable and prompt investigation to determine the47
likelihood that personal information PII has been or will be misused. If the48
investigation determines that the misuse of information about an Idaho res -49 3
ident has occurred or is reasonably likely to occur, the agency, individ -1
ual ,or the commercial entity shall give notice as soon as possible to the af -2
fected Idaho resident. Notice must be made in the most expedient time possi -3
ble and without unreasonable delay, consistent with the legitimate needs of4
law enforcement and consistent with any measures necessary to determine the5
scope of the breach, to identify the individuals affected, and to restore the6
reasonable integrity of the computerized data system.7
When an agency becomes aware of abreach of the security of the system,8
it shall, within twenty -four (24) hours of such discovery, notify the office9
of the Idaho attorney general. Nothing contained in this section relieves10
astate agency's responsibility to report asecurity breach to the office of11
the chief information officer within the department of administration, pur -12
suant to the Idaho technology authority policies.13
Any governmental employee who intentionally discloses personal infor -14
mation PII not subject to disclosure otherwise allowed by law is guilty of15
amisdemeanor and, upon conviction thereof, shall be punished by afine of16
not more than two thousand dollars ($2,000), or by imprisonment in the county17
jail for aperiod of not more than one (1) year, or both.18
(2) An agency, individual ,or acommercial entity that maintains com -19
puterized data that includes personal information PII that the agency, in -20
dividual ,or the commercial entity does not own or license shall give notice21
to and cooperate with the owner or licensee of the information of any breach22
of the security of the system immediately following discovery of abreach if23
misuse of personal information about an Idaho resident occurred or is rea -24
sonably likely to occur. Cooperation includes sharing with the owner or li -25
censee information relevant to the breach.26
(3) Notice required by this section may be delayed if alaw enforcement27
agency advises the agency, individual ,or commercial entity that the notice28
will impede acriminal investigation. Notice required by this section must29
be made in good faith, without unreasonable delay and as soon as possible af -30
ter the law enforcement agency advises the agency, individual ,or commercial31
entity that notification will no longer impede the investigation.32
(4) An agency, individual, or commercial entity that has determined33
that the misuse of PII about an Idaho resident has occurred or is reasonably34
likely to occur shall, in addition to the notice required by this section:35
(a) Offer to provide credit monitoring services at no cost to the af -36
fected resident for aperiod of not less than thirty -six (36) months;37
and38
(b) Provide information on how to enroll in the free credit monitor -39
ing service pursuant to paragraph (a) of this subsection and how the af -40
fected resident can place acredit freeze on such resident's credit file41
with credit reporting agencies.42
SECTION 3. That Section 28 -51 -106, Idaho Code, be, and the same is43
hereby amended to read as follows:44
28 -51 -106. PROCEDURES DEEMED IN COMPLIANCE WITH SECURITY BREACH45
REQUIREMENTS. (1) An agency, an individual ,or acommercial entity that46
maintains its own notice procedures as part of an information security pol -47
icy for the treatment of personal personally identifiable information, and48
whose procedures are otherwise consistent with the timing requirements of49 4
section 28 -51 -105, Idaho Code, is deemed to be in compliance with the notice1
requirements of section 28 -51 -105, Idaho Code, if the agency, individual ,or2
the commercial entity notifies affected Idaho residents in accordance with3
its policies in the event of abreach of security of the system.4
(2) An individual or acommercial entity that is regulated by state or5
federal law and that maintains procedures for abreach of the security of6
the system pursuant to the laws, rules, regulations, guidances, or guide -7
lines established by its primary or functional state or federal regulator is8
deemed to be in compliance with section 28 -51 -105, Idaho Code, if the indi -9
vidual or the commercial entity complies with the maintained procedures when10
abreach of the security of the system occurs.11
SECTION 4. An emergency existing therefor, which emergency is hereby12
declared to exist, this act shall be in full force and effect on and after13
July 1, 2025.14