2006 Legislation
Print Friendly

SENATE BILL NO. 1374 – Personal/financial info, databases

SENATE BILL NO. 1374

View Bill Status

View Bill Text

View Statement of Purpose / Fiscal Impact



Text to be added within a bill has been marked with Bold and
Underline. Text to be removed has been marked with
Strikethrough and Italic. How these codes are actually displayed will
vary based on the browser software you are using.

This sentence is marked with bold and underline to show added text.

This sentence is marked with strikethrough and italic, indicating
text to be removed.

Bill Status



S1374.......................................by COMMERCE AND HUMAN RESOURCES
PERSONAL INFORMATION - SECURITY - Adds to existing law to provide for
disclosure of breach of security of computerized personal information by an
agency, individual or a commercial entity; to provide procedures deemed in
compliance with security breach requirements; and to provide penalties for
violations.
                                                                        
02/10    Senate intro - 1st rdg - to printing
02/13    Rpt prt - to Com/HuRes
02/22    Rpt out - rec d/p - to 2nd rdg
02/23    2nd rdg - to 3rd rdg
02/24    3rd rdg - PASSED - 35-0-0
      AYES -- Andreason, Brandt(Harper), Broadsword, Bunderson, Burkett,
      Burtenshaw, Cameron, Coiner, Compton, Corder, Darrington, Davis,
      Fulcher, Gannon, Geddes, Goedde, Hill, Jorgenson, Kelly, Keough,
      Langhorst, Little, Lodge, Malepeai, Marley, McGee, McKenzie, Pearce,
      Richardson, Schroeder, Stegner, Stennett, Sweet, Werk, Williams
      NAYS -- None
      Absent and excused -- None
    Floor Sponsor - Werk
    Title apvd - to House
02/27    House intro - 1st rdg - to St Aff
03/13    Rpt out - rec d/p - to 2nd rdg
03/14    2nd rdg - to 3rd rdg
03/22    3rd rdg - PASSED - 61-0-9
      AYES -- Anderson, Andrus, Barraclough, Barrett, Bastian, Bayer,
      Bedke, Bell, Bilbao, Black, Brackett, Bradford, Cannon, Chadderdon,
      Clark, Collins, Deal, Denney, Edmunson, Ellsworth, Eskridge,
      Field(18), Field(23), Garrett, Hart, Harwood, Henbest, Jaquet, Kemp,
      Lake, LeFavour, Loertscher, Martinez, Mathews, McKague, Miller,
      Mitchell, Nielsen, Nonini, Pasley-Stuart, Pence, Raybould, Ring,
      Ringo, Roberts, Rusche, Rydalch, Sali, Sayler, Schaefer, Shepherd(8),
      Shirley, Skippen, Smith(30), Smith(24), Smylie, Snodgrass, Stevenson,
      Trail, Wills, Mr. Speaker
      NAYS -- None
      Absent and excused -- Block, Boe, Bolz, Crow, Henderson, McGeachin,
      Moyle, Shepherd(2), Wood
    Floor Sponsor - Black
    Title apvd - to Senate
03/23    To enrol
03/24    Rpt enrol - Pres signed - Sp signed
03/27    To Governor
03/30    Governor signed
         Session Law Chapter 258
         Effective: 07/01/06

Bill Text


                                                                        
                                                                        
  ]]]]              LEGISLATURE OF THE STATE OF IDAHO             ]]]]
 Fifty-eighth Legislature                   Second Regular Session - 2006
                                                                        
                                                                        
                                       IN THE SENATE
                                                                        
                                    SENATE BILL NO. 1374
                                                                        
                         BY COMMERCE AND HUMAN RESOURCES COMMITTEE
                                                                        
  1                                        AN ACT
  2    RELATING TO PERSONAL AND  FINANCIAL  INFORMATION  ON  COMPUTERIZED  DATABASES;
  3        AMENDING  PART 1, CHAPTER 51, TITLE 28, IDAHO CODE, BY THE ADDITION OF NEW
  4        SECTIONS 28-51-104, 28-51-105, 28-51-106 AND  28-51-107,  IDAHO  CODE,  TO
  5        DEFINE TERMS, TO PROVIDE FOR DISCLOSURE OF BREACH OF SECURITY OF COMPUTER-
  6        IZED PERSONAL INFORMATION BY AN AGENCY, INDIVIDUAL OR A COMMERCIAL ENTITY,
  7        TO  PROVIDE  PROCEDURES DEEMED IN COMPLIANCE WITH SECURITY BREACH REQUIRE-
  8        MENTS AND TO PROVIDE PENALTIES FOR VIOLATIONS.
                                                                        
  9    Be It Enacted by the Legislature of the State of Idaho:
                                                                        
 10        SECTION 1.  That Part 1, Chapter 51, Title 28, Idaho  Code,  be,  and  the
 11    same  is  hereby  amended by the addition thereto of NEW SECTIONS, to be known
 12    and designated as Sections  28-51-104,  28-51-105,  28-51-106  and  28-51-107,
 13    Idaho Code, and to read as follows:
                                                                        
 14        28-51-104.  DEFINITIONS.   For  purposes  of  sections  28-51-104  through
 15    28-51-107, Idaho Code:
 16        (1)  "Agency" means any "public agency" as defined in section 9-337, Idaho
 17    Code.
 18        (2)  "Breach of the security of the system" means the illegal  acquisition
 19    of  unencrypted  computerized  data  that materially compromises the security,
 20    confidentiality, or integrity of personal information for one (1) or more per-
 21    sons maintained by an agency, individual or a commercial  entity.  Good  faith
 22    acquisition  of  personal  information  by  an employee or agent of an agency,
 23    individual or a commercial entity for the purposes of the  agency,  individual
 24    or  the  commercial entity is not a breach of the security of the system, pro-
 25    vided that the personal information is not used or subject to further unautho-
 26    rized disclosure.
 27        (3)  "Commercial entity" includes  corporation,  business  trust,  estate,
 28    trust,  partnership,  limited partnership, limited liability partnership, lim-
 29    ited liability company, association, organization, joint venture and any other
 30    legal entity, whether for profit or not-for-profit.
 31        (4)  "Notice" means:
 32        (a)  Written notice to the most recent address the agency,  individual  or
 33        commercial entity has in its records;
 34        (b)  Telephonic notice;
 35        (c)  Electronic notice, if the notice provided is consistent with the pro-
 36        visions regarding electronic records and signatures set forth in 15 U.S.C.
 37        section 7001; or
 38        (d)  Substitute notice, if the agency, individual or the commercial entity
 39        required  to provide notice demonstrates that the cost of providing notice
 40        will exceed twenty-five thousand dollars ($25,000), or that the number  of
 41        Idaho  residents  to  be notified exceeds fifty thousand (50,000), or that
 42        the agency, individual or the commercial entity does not  have  sufficient
 43        contact  information  to provide notice. Substitute notice consists of all
                                                                        
                                           2
                                                                        
  1        of the following:
  2             (i)   E-mail notice if  the  agency,  individual  or  the  commercial
  3             entity has e-mail addresses for the affected Idaho residents; and
  4             (ii)  Conspicuous  posting  of  the notice on the website page of the
  5             agency, individual or the commercial entity if the agency, individual
  6             or the commercial entity maintains one; and
  7             (iii) Notice to major statewide media.
  8        (5)  "Personal information" means an Idaho resident's first name or  first
  9    initial and last name in combination with any one (1) or more of the following
 10    data  elements  that  relate to the resident, when either the name or the data
 11    elements are not encrypted:
 12        (a)  Social security number;
 13        (b)  Driver's license number or Idaho identification card number; or
 14        (c)  Account number, or credit or debit card number, in  combination  with
 15        any  required  security  code,  access code, or password that would permit
 16        access to a resident's financial account.
 17        The term "personal information" does not include publicly available infor-
 18    mation that is lawfully made available to the  general  public  from  federal,
 19    state, or local government records or widely distributed media.
 20        (6)  "Primary  regulator" of a commercial entity or individual licensed or
 21    chartered by the United States is that  commercial  entity's  or  individual's
 22    primary  federal  regulator,  the  primary regulator of a commercial entity or
 23    individual licensed by the department of finance is the department of finance,
 24    the primary regulator of a commercial entity or  individual  licensed  by  the
 25    department  of  insurance is the department of insurance and, for all agencies
 26    and all other commercial entities or individuals, the primary regulator is the
 27    attorney general.
                                                                        
 28        28-51-105.  DISCLOSURE OF BREACH  OF  SECURITY  OF  COMPUTERIZED  PERSONAL
 29    INFORMATION  BY  AN  AGENCY, INDIVIDUAL OR A COMMERCIAL ENTITY. (1) An agency,
 30    individual or a commercial entity that conducts business  in  Idaho  and  that
 31    owns  or licenses computerized data that includes personal information about a
 32    resident of Idaho shall, when it becomes aware of a breach of the security  of
 33    the  system,  conduct  in  good faith a reasonable and prompt investigation to
 34    determine the likelihood that personal information has been or  will  be  mis-
 35    used.  If the investigation determines that the misuse of information about an
 36    Idaho resident has occurred or is reasonably  likely  to  occur,  the  agency,
 37    individual  or  the commercial entity shall give notice as soon as possible to
 38    the affected Idaho resident. Notice must be made in the  most  expedient  time
 39    possible  and without unreasonable delay, consistent with the legitimate needs
 40    of law enforcement and consistent with any measures necessary to determine the
 41    scope of the breach, to identify the individuals affected, and to restore  the
 42    reasonable integrity of the computerized data system.
 43        (2)  An agency, individual or a commercial entity that maintains computer-
 44    ized  data  that  includes personal information that the agency, individual or
 45    the commercial entity does not own or license shall give notice to and cooper-
 46    ate with the owner or licensee of the information of any breach of  the  secu-
 47    rity  of  the system immediately following discovery of a breach, if misuse of
 48    personal information about an Idaho resident occurred or is reasonably  likely
 49    to  occur. Cooperation includes sharing with the owner or licensee information
 50    relevant to the breach.
 51        (3)  Notice required by this section may be delayed if a  law  enforcement
 52    agency  advises  the  agency,  individual or commercial entity that the notice
 53    will impede a criminal investigation. Notice required by this section must  be
 54    made  in  good faith, without unreasonable delay and as soon as possible after
                                                                        
                                           3
                                                                        
  1    the law enforcement agency advises the agency, individual or commercial entity
  2    that notification will no longer impede the investigation.
                                                                        
  3        28-51-106.  PROCEDURES DEEMED IN COMPLIANCE WITH SECURITY BREACH  REQUIRE-
  4    MENTS. (1) An agency, individual or a commercial entity that maintains its own
  5    notice  procedures as part of an information security policy for the treatment
  6    of personal information, and whose procedures are  otherwise  consistent  with
  7    the  timing  requirements of section 28-51-105, Idaho Code, is deemed to be in
  8    compliance with the notice requirements of section 28-51-105, Idaho  Code,  if
  9    the  agency, individual or the commercial entity notifies affected Idaho resi-
 10    dents in accordance with its policies in the event of a breach of security  of
 11    the system.
 12        (2)  An  individual  or  a commercial entity that is regulated by state or
 13    federal law and that maintains procedures for a breach of the security of  the
 14    system  pursuant  to  the  laws,  rules, regulations, guidances, or guidelines
 15    established by its primary or functional state or federal regulator is  deemed
 16    to  be  in compliance with section 28-51-105, Idaho Code, if the individual or
 17    the commercial entity complies with the maintained procedures when a breach of
 18    the security of the system occurs.
                                                                        
 19        28-51-107.  VIOLATIONS. In any  case  in  which  an  agency's,  commercial
 20    entity's  or  individual's  primary  regulator  has  reason to believe that an
 21    agency, individual or commercial entity subject to  that  primary  regulator's
 22    jurisdiction  under  section  28-51-104(6),  Idaho  Code, has violated section
 23    28-51-105, Idaho Code, by failing to give notice in accordance with that  sec-
 24    tion,  the  primary  regulator  may bring a civil action to enforce compliance
 25    with that section and enjoin that agency, individual or commercial entity from
 26    further violations. Any agency, individual or commercial  entity  that  inten-
 27    tionally  fails  to  give  notice  in accordance with section 28-51-105, Idaho
 28    Code, shall be subject to a fine of not more than twenty-five thousand dollars
 29    ($25,000) per breach of the security of the system.

Statement of Purpose / Fiscal Impact


                       STATEMENT OF PURPOSE

                            RS 15951C1

Identity theft is a serious problem. Recent high profile breaches
of computer security have illustrated the need to ensure that
Idaho citizens are notified promptly when their personal
information is compromised   regardless of the location of the
entity that experienced the breach. This legislation provides for
the disclosure to Idaho citizens of a breach of security of
computerized personal information by an agency, individual, or
commercial entity.





                            FISCAL NOTE

There is no impact to the state general fund.





Contact
Name:      Senator Elliot Werk 
           Representative Max Black
Phone:     322-1000
      

STATEMENT OF PURPOSE/FISCAL NOTE                       S 1374