View Bill Status
View Bill Text
View Statement of Purpose / Fiscal Impact
S1374.......................................by COMMERCE AND HUMAN RESOURCES
PERSONAL INFORMATION - SECURITY - Adds to existing law to provide for
disclosure of breach of security of computerized personal information by an
agency, individual or a commercial entity; to provide procedures deemed in
compliance with security breach requirements; and to provide penalties for
violations.
02/10 Senate intro - 1st rdg - to printing
02/13 Rpt prt - to Com/HuRes
02/22 Rpt out - rec d/p - to 2nd rdg
02/23 2nd rdg - to 3rd rdg
02/24 3rd rdg - PASSED - 35-0-0
AYES -- Andreason, Brandt(Harper), Broadsword, Bunderson, Burkett,
Burtenshaw, Cameron, Coiner, Compton, Corder, Darrington, Davis,
Fulcher, Gannon, Geddes, Goedde, Hill, Jorgenson, Kelly, Keough,
Langhorst, Little, Lodge, Malepeai, Marley, McGee, McKenzie, Pearce,
Richardson, Schroeder, Stegner, Stennett, Sweet, Werk, Williams
NAYS -- None
Absent and excused -- None
Floor Sponsor - Werk
Title apvd - to House
02/27 House intro - 1st rdg - to St Aff
03/13 Rpt out - rec d/p - to 2nd rdg
03/14 2nd rdg - to 3rd rdg
03/22 3rd rdg - PASSED - 61-0-9
AYES -- Anderson, Andrus, Barraclough, Barrett, Bastian, Bayer,
Bedke, Bell, Bilbao, Black, Brackett, Bradford, Cannon, Chadderdon,
Clark, Collins, Deal, Denney, Edmunson, Ellsworth, Eskridge,
Field(18), Field(23), Garrett, Hart, Harwood, Henbest, Jaquet, Kemp,
Lake, LeFavour, Loertscher, Martinez, Mathews, McKague, Miller,
Mitchell, Nielsen, Nonini, Pasley-Stuart, Pence, Raybould, Ring,
Ringo, Roberts, Rusche, Rydalch, Sali, Sayler, Schaefer, Shepherd(8),
Shirley, Skippen, Smith(30), Smith(24), Smylie, Snodgrass, Stevenson,
Trail, Wills, Mr. Speaker
NAYS -- None
Absent and excused -- Block, Boe, Bolz, Crow, Henderson, McGeachin,
Moyle, Shepherd(2), Wood
Floor Sponsor - Black
Title apvd - to Senate
03/23 To enrol
03/24 Rpt enrol - Pres signed - Sp signed
03/27 To Governor
03/30 Governor signed
Session Law Chapter 258
Effective: 07/01/06
]]]] LEGISLATURE OF THE STATE OF IDAHO ]]]]
Fifty-eighth Legislature Second Regular Session - 2006
IN THE SENATE
SENATE BILL NO. 1374
BY COMMERCE AND HUMAN RESOURCES COMMITTEE
1 AN ACT
2 RELATING TO PERSONAL AND FINANCIAL INFORMATION ON COMPUTERIZED DATABASES;
3 AMENDING PART 1, CHAPTER 51, TITLE 28, IDAHO CODE, BY THE ADDITION OF NEW
4 SECTIONS 28-51-104, 28-51-105, 28-51-106 AND 28-51-107, IDAHO CODE, TO
5 DEFINE TERMS, TO PROVIDE FOR DISCLOSURE OF BREACH OF SECURITY OF COMPUTER-
6 IZED PERSONAL INFORMATION BY AN AGENCY, INDIVIDUAL OR A COMMERCIAL ENTITY,
7 TO PROVIDE PROCEDURES DEEMED IN COMPLIANCE WITH SECURITY BREACH REQUIRE-
8 MENTS AND TO PROVIDE PENALTIES FOR VIOLATIONS.
9 Be It Enacted by the Legislature of the State of Idaho:
10 SECTION 1. That Part 1, Chapter 51, Title 28, Idaho Code, be, and the
11 same is hereby amended by the addition thereto of NEW SECTIONS, to be known
12 and designated as Sections 28-51-104, 28-51-105, 28-51-106 and 28-51-107,
13 Idaho Code, and to read as follows:
14 28-51-104. DEFINITIONS. For purposes of sections 28-51-104 through
15 28-51-107, Idaho Code:
16 (1) "Agency" means any "public agency" as defined in section 9-337, Idaho
17 Code.
18 (2) "Breach of the security of the system" means the illegal acquisition
19 of unencrypted computerized data that materially compromises the security,
20 confidentiality, or integrity of personal information for one (1) or more per-
21 sons maintained by an agency, individual or a commercial entity. Good faith
22 acquisition of personal information by an employee or agent of an agency,
23 individual or a commercial entity for the purposes of the agency, individual
24 or the commercial entity is not a breach of the security of the system, pro-
25 vided that the personal information is not used or subject to further unautho-
26 rized disclosure.
27 (3) "Commercial entity" includes corporation, business trust, estate,
28 trust, partnership, limited partnership, limited liability partnership, lim-
29 ited liability company, association, organization, joint venture and any other
30 legal entity, whether for profit or not-for-profit.
31 (4) "Notice" means:
32 (a) Written notice to the most recent address the agency, individual or
33 commercial entity has in its records;
34 (b) Telephonic notice;
35 (c) Electronic notice, if the notice provided is consistent with the pro-
36 visions regarding electronic records and signatures set forth in 15 U.S.C.
37 section 7001; or
38 (d) Substitute notice, if the agency, individual or the commercial entity
39 required to provide notice demonstrates that the cost of providing notice
40 will exceed twenty-five thousand dollars ($25,000), or that the number of
41 Idaho residents to be notified exceeds fifty thousand (50,000), or that
42 the agency, individual or the commercial entity does not have sufficient
43 contact information to provide notice. Substitute notice consists of all
2
1 of the following:
2 (i) E-mail notice if the agency, individual or the commercial
3 entity has e-mail addresses for the affected Idaho residents; and
4 (ii) Conspicuous posting of the notice on the website page of the
5 agency, individual or the commercial entity if the agency, individual
6 or the commercial entity maintains one; and
7 (iii) Notice to major statewide media.
8 (5) "Personal information" means an Idaho resident's first name or first
9 initial and last name in combination with any one (1) or more of the following
10 data elements that relate to the resident, when either the name or the data
11 elements are not encrypted:
12 (a) Social security number;
13 (b) Driver's license number or Idaho identification card number; or
14 (c) Account number, or credit or debit card number, in combination with
15 any required security code, access code, or password that would permit
16 access to a resident's financial account.
17 The term "personal information" does not include publicly available infor-
18 mation that is lawfully made available to the general public from federal,
19 state, or local government records or widely distributed media.
20 (6) "Primary regulator" of a commercial entity or individual licensed or
21 chartered by the United States is that commercial entity's or individual's
22 primary federal regulator, the primary regulator of a commercial entity or
23 individual licensed by the department of finance is the department of finance,
24 the primary regulator of a commercial entity or individual licensed by the
25 department of insurance is the department of insurance and, for all agencies
26 and all other commercial entities or individuals, the primary regulator is the
27 attorney general.
28 28-51-105. DISCLOSURE OF BREACH OF SECURITY OF COMPUTERIZED PERSONAL
29 INFORMATION BY AN AGENCY, INDIVIDUAL OR A COMMERCIAL ENTITY. (1) An agency,
30 individual or a commercial entity that conducts business in Idaho and that
31 owns or licenses computerized data that includes personal information about a
32 resident of Idaho shall, when it becomes aware of a breach of the security of
33 the system, conduct in good faith a reasonable and prompt investigation to
34 determine the likelihood that personal information has been or will be mis-
35 used. If the investigation determines that the misuse of information about an
36 Idaho resident has occurred or is reasonably likely to occur, the agency,
37 individual or the commercial entity shall give notice as soon as possible to
38 the affected Idaho resident. Notice must be made in the most expedient time
39 possible and without unreasonable delay, consistent with the legitimate needs
40 of law enforcement and consistent with any measures necessary to determine the
41 scope of the breach, to identify the individuals affected, and to restore the
42 reasonable integrity of the computerized data system.
43 (2) An agency, individual or a commercial entity that maintains computer-
44 ized data that includes personal information that the agency, individual or
45 the commercial entity does not own or license shall give notice to and cooper-
46 ate with the owner or licensee of the information of any breach of the secu-
47 rity of the system immediately following discovery of a breach, if misuse of
48 personal information about an Idaho resident occurred or is reasonably likely
49 to occur. Cooperation includes sharing with the owner or licensee information
50 relevant to the breach.
51 (3) Notice required by this section may be delayed if a law enforcement
52 agency advises the agency, individual or commercial entity that the notice
53 will impede a criminal investigation. Notice required by this section must be
54 made in good faith, without unreasonable delay and as soon as possible after
3
1 the law enforcement agency advises the agency, individual or commercial entity
2 that notification will no longer impede the investigation.
3 28-51-106. PROCEDURES DEEMED IN COMPLIANCE WITH SECURITY BREACH REQUIRE-
4 MENTS. (1) An agency, individual or a commercial entity that maintains its own
5 notice procedures as part of an information security policy for the treatment
6 of personal information, and whose procedures are otherwise consistent with
7 the timing requirements of section 28-51-105, Idaho Code, is deemed to be in
8 compliance with the notice requirements of section 28-51-105, Idaho Code, if
9 the agency, individual or the commercial entity notifies affected Idaho resi-
10 dents in accordance with its policies in the event of a breach of security of
11 the system.
12 (2) An individual or a commercial entity that is regulated by state or
13 federal law and that maintains procedures for a breach of the security of the
14 system pursuant to the laws, rules, regulations, guidances, or guidelines
15 established by its primary or functional state or federal regulator is deemed
16 to be in compliance with section 28-51-105, Idaho Code, if the individual or
17 the commercial entity complies with the maintained procedures when a breach of
18 the security of the system occurs.
19 28-51-107. VIOLATIONS. In any case in which an agency's, commercial
20 entity's or individual's primary regulator has reason to believe that an
21 agency, individual or commercial entity subject to that primary regulator's
22 jurisdiction under section 28-51-104(6), Idaho Code, has violated section
23 28-51-105, Idaho Code, by failing to give notice in accordance with that sec-
24 tion, the primary regulator may bring a civil action to enforce compliance
25 with that section and enjoin that agency, individual or commercial entity from
26 further violations. Any agency, individual or commercial entity that inten-
27 tionally fails to give notice in accordance with section 28-51-105, Idaho
28 Code, shall be subject to a fine of not more than twenty-five thousand dollars
29 ($25,000) per breach of the security of the system.
STATEMENT OF PURPOSE
RS 15951C1
Identity theft is a serious problem. Recent high profile breaches
of computer security have illustrated the need to ensure that
Idaho citizens are notified promptly when their personal
information is compromised regardless of the location of the
entity that experienced the breach. This legislation provides for
the disclosure to Idaho citizens of a breach of security of
computerized personal information by an agency, individual, or
commercial entity.
FISCAL NOTE
There is no impact to the state general fund.
Contact
Name: Senator Elliot Werk
Representative Max Black
Phone: 322-1000
STATEMENT OF PURPOSE/FISCAL NOTE S 1374