|An Act Relating to Personal and Financial Information on Computerized Databases, S.B. No. 1374|
|CITATION||Idaho Code: § 28-51-104-107|
|SUMMARY||An agency, individual or a commercial entity that conducts business in Idaho and that owns or licenses computerized data that includes personal information about a resident of Idaho shall, when it becomes aware of a breach of the security of the system, conduct in good faith a reasonable and prompt investigation to determine the likelihood that personal information has been or will be misused. If the investigation determines that the misuse of information about an Idaho resident has occurred or is reasonably likely to occur; the agency, individual or the commercial entity must give notice as soon as possible to the affected Idaho resident. Notice must be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement and consistent with any measures necessary to determine the scope of the breach, to identify the individuals affected, and to restore the reasonable integrity of the computerized data system.|
The law covers ‘Personal Information’ which is defined as an Idaho resident's first name or first initial and last name in combination with any one or more of the following data elements that relate to the resident, when either the name or the data elements are not encrypted:
|INDUSTRY||An agency, individual or a commercial entity that conducts business in Idaho and that owns or licenses computerized data that includes personal information about a resident of Idaho.|
An intentional violation subject’s the violator to fines of not more than twenty-five thousand dollars ($25,000) per breach.
Depending on the industry, the principal regulator of the commercial entity or individual may bring a civil action to enjoin further violations.