Currently, there are no comprehensive Idaho state privacy laws in effect; nor has a comprehensive bill been introduced this year. There are a few sector-specific privacy-related laws in effect.
Idaho’s Data Breach Notification Law
The primary privacy and data security law in Idaho is the state’s data breach notification law.
There are additional privacy laws in Idaho, including laws governing electronic surveillance and identity theft, as well as sector-specific laws.
Who is covered by Idaho’s Data Breach Notification Law?
The data breach notification law applies to any resident of Idaho whose personal information was or is reasonably believed to have been misused.
What Data is Covered?
The data breach notification law covers any city, county, or state agency, an individual, or a commercial entity conducting business in Idaho and owning or processing data that includes personal information about Idaho residents. Entities are required to conduct an investigation, upon becoming aware of a breach of the security of the system, to determine the likelihood that personal information has been or will be misused. On finding such misuse or potential misuse, notify affected Idaho residents.
In addition, an agency, individual, or commercial entity that maintains computerized data containing personal information that it does not own or license must notify the owner or licensee of the information regarding any breach of the security of the system immediately following the discovery of a breach if misuse of personal information of an Idaho resident has occurred or is likely to occur.
Who Must Comply?
A covered entity includes a corporation, business trust, estate, trust, partnership, limited partnership, limited liability partnership, limited liability company, association, organization, joint venture, or any other legal entity, whether for profit or not for profit.
Important Definitions in the Idaho Data Breach Notification Law
According to Idaho law, a “breach of the security of the system” is the illegal acquisition of unencrypted computerized data that materially compromises the security, confidentiality, or integrity of personal information for one or more persons maintained by an agency, individual, or commercial entity.
Personal information is defined as an Idaho resident’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or data elements are not encrypted:
- social security number
- driver’s license number or Idaho ID card number
- account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to a resident’s financial account.
The term “personal information does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records or widely distributed media.
Other Idaho Privacy Laws
Idaho’s Student Data Accessibility, Transparency & Accountability Act, otherwise known as SB 1372, is a student data protection and privacy law that was passed in 2014. Under SB 1372, the Idaho State Board of Education, Idaho Public School Districts, and the various teachers and school personnel that work within such settings, are required to take a number of measures to ensure that the personal information of the students they serve remains both accessible to applicable parties, as well as protected from unauthorized use. Furthermore, the law also establishes the specific types of covered information that are protected from disclosure.
Centraleyes continues to monitor Idaho, as well as other state legislative developments this year. Stay tuned and follow us as we bring you the latest updates in the privacy sector.
Employee Privacy Laws in Idaho
Idaho law prohibits discrimination in employment, education, real estate transactions, and public accommodations. Illegal discrimination may be based on: race, sex, color, national origin, religion, age (over 40), mental incapacity, or physical disability.