Data Privacy Regulations

Terms of Use

This summary of regulations is provided for information purposes only.
No action based on this summary alone should be undertaken.
Each individual or entity must obtain appropriate guidance for its specific circumstances.


Did You Know?

  • Limited methods of notification delivery;
  • Vendors must report to Data Owners and cooperate;
  • Data Owners are responsible for reporting and notifications;
  • For Violations, civil action may be taken to enforce compliance or enjoinment.  Fines are up $25,000;
  • Other state laws, federal laws, industry regulations, and/or out-of-country laws may apply.

Who Me?


Idaho breach and notification laws may apply if you you are a city, county or state agency, individual or commercial entity that:

  • Conducts business in ID and owns or licenses computerized data that includes PII about an ID resident;
  • Maintains computerized data that includes PII that you do not own or license.

 There are exemptions.

What is PII?


PII relevant to a breach in Idaho include a person's name plus one of the following:

  • Social Security Number;
  • Driver license or state ID  card number;
  • Account number or credit  or debit card number in combination any security code, access code or password, etc. permitting access to the person's financial account.



A few applicable statutes include, but are not limited to:

  • Title 28 Commercial Transactions /
  • Chapter 51 Identity Theft / § 28-51-104 - $28-51-107


A few applicable statutes include, but are not limited to:

  • Title 28 Commercial Transactions /
  • Chapter 51 Identity Theft / § 28-51-103 Payment Card Receipts

There are numerous statutes for cities, counties, and state agencies, et al, to follow.



For violations, the primary regulator in the jurisdiction of the offending agency, individual or commercial entity may bring a civil action to enforce compliance and enjoin the entity from further violations. The entity may also be fined up to $25,000 per breach.



When considering reporting requirements, it would include, but not limited to:

  • The combination of personal information breached;
  • If the data was computerized;
  • If the data was encrypted or redacted;
  • Whether the acquisition materially compromises the personal information;
  • Whether misuse of the information may occur.


Depending on impact and type of breach there may be specific entities to report to and specific time limits to report a breach. The notifications must be made in the most expedient time and manner possible and without unreasonable delay, unless law enforcement advises the person it will interfere with an investigation. If an agency becomes aware of a breach of the security of the system, it must notify the Idaho attorney general within twenty-four (24) hours of the discovery.


Requires detailed information and potential provision of services

Disclosure may be made by written notice, telephone or electronically (with stipulations).
A substitute notice, with specific requirements, may be sent if the person demonstrates that the cost of providing the notice would exceed $25,000, or the persons to be notified exceeds 50,000, or they do not have sufficient contact information.

Contact the Privacy Experts at CSR