Quick Facts
Breach Based on Harm Threshold: Yes
Deadline for Consumer Notice: Most expedient time possible without
unreasonable delay
Government Notification Required: No*
Scope of this Summary:
Notification requirements applicable to individuals or commercial entities that conduct business in the state and own, license, or maintain covered info. Some types of businesses may be exempt from some or all of these requirements, and non-commercial entities may be subject to different requirements.
Risk of Harm Threshold
Notification not required if, after reasonable and prompt investigation, the covered entity determines that misuse of a resident's covered info has not occurred or is not reasonably likely to occur.
Breach Defined
Illegal acquisition that compromises the security, confidentiality, or integrity of the covered info, excluding certain good-faith acquisitions by employees or agents.
Encryption Safe Harbor
Statute does not apply to information that is encrypted.
Form of Covered Info
Electronic Only
Covered Info
An Idaho resident's first name or first initial and last name in combination with any one or more of the following data elements:
- Social Security number.
- Driver's license number or Idaho identification card number.
- Account number, or credit or debit card number, in combination with any required security code, access code, or password that would permit access to a resident's financial account.
Consumer Notice Timing
Must be made in most expedient time possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach, identify the residents affected, and restore the reasonable integrity of the system.
Consumer Notice Method
By written notice, telephonic notice, or electronic notice if it is consistent with E-SIGN. Substitute notice is available if certain criteria are satisfied.
Consumer Notice Content
Content of notice undefined.
Delayed Notice
Notification may be delayed if law enforcement determines that notification will impede a criminal investigation.
Government Notice
N/A* – Public agencies have a duty to notify the AG.
Consumer Reporting Agency Notice
N/A
Exceptions for Other Laws
An individual or a commercial entity that is regulated by state or federal law and that maintains procedures for a breach of the security of the system pursuant to the laws, rules, regulations, guidances, or guidelines established by its primary or functional state or federal regulator is deemed to be in compliance with section 28-51-105, Idaho Code, if the individual or the commercial entity complies with the maintained procedures when a breach of the security of the system occurs.
Third-Party Notice
If you maintain covered info on behalf of another entity, you must notify it immediately following discovery of a breach if misuse of covered info has occurred or is reasonably likely to occur. Must cooperate by sharing relevant information about breach.
Private Right of Action
The Idaho statute does not provide for a private right of action.
Potential Penalties
Violations may result in civil penalties.
This summary is for informational purposes only. It provides general information and not legal advice or opinions regarding specific facts. Additional requirements or conditions may apply to any or all provisions referenced herein. For more information about the state data breach notification laws or other data security matters, please seek the advice of counsel.
Last revised on June 15, 2023