(1) "Agency" means any "public agency" as defined in section 74-101, Idaho Code.
(2) "Breach of the security of the system" means the illegal acquisition of unencrypted computerized data that materially compromises the security, confidentiality, or integrity of personal information for one (1) or more persons maintained by an agency, individual or a commercial entity. Good faith acquisition of personal information by an employee or agent of an agency, individual or a commercial entity for the purposes of the agency, individual or the commercial entity is not a breach of the security of the system, provided that the personal information is not used or subject to further unauthorized disclosure.
(3) "Commercial entity" includes corporation, business trust, estate, trust, partnership, limited partnership, limited liability partnership, limited liability company, association, organization, joint venture and any other legal entity, whether for profit or not-for-profit.
(4) "Notice" means:
(a) Written notice to the most recent address the agency, individual or commercial entity has in its records;
(b) Telephonic notice;
(c) Electronic notice, if the notice provided is consistent with the provisions regarding electronic records and signatures set forth in 15 U.S.C. section 7001; or
(d) Substitute notice, if the agency, individual or the commercial entity required to provide notice demonstrates that the cost of providing notice will exceed twenty-five thousand dollars ($25,000), or that the number of Idaho residents to be notified exceeds fifty thousand (50,000), or that the agency, individual or the commercial entity does not have sufficient contact information to provide notice. Substitute notice consists of all of the following:
(i) E-mail notice if the agency, individual or the commercial entity has e-mail addresses for the affected Idaho residents; and
(ii) Conspicuous posting of the notice on the website page of the agency, individual or the commercial entity if the agency, individual or the commercial entity maintains one; and
(iii) Notice to major statewide media.
(5) "Personal information" means an Idaho resident’s first name or first initial and last name in combination with any one (1) or more of the following data elements that relate to the resident, when either the name or the data elements are not encrypted:
(a) Social security number;
(b) Driver’s license number or Idaho identification card number; or
(c) Account number, or credit or debit card number, in combination with any required security code, access code, or password that would permit access to a resident’s financial account.
The term "personal information" does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records or widely distributed media.
(6) "Primary regulator" of a commercial entity or individual licensed or chartered by the United States is that commercial entity’s or individual’s primary federal regulator, the primary regulator of a commercial entity or individual licensed by the department of finance is the department of finance, the primary regulator of a commercial entity or individual licensed by the department of insurance is the department of insurance and, for all agencies and all other commercial entities or individuals, the primary regulator is the attorney general.
[28-51-104, added 2006, ch. 258, sec. 1, p. 796; am. 2015, ch. 141, sec. 51, p. 418.]