Mandated Timeframe for Breach Reporting and/or Consumer Notification

Without unreasonable delay
Laws related specifically to personal information
  • Breach Reporting & Consumer Notification
  • Protect Personal Information
  • Written Program for Protection & Security
  • Third Party: Specific Obligations
  • Third Parties: Mandated Contracts
  • Employee Training
  • Risk Assessment
  • Requests for Information
Fines & Penalties

Violations of breach and notification laws up to $25,000 per breach

Regulation Levels
  • Breach Reporting
  • Consumer Notification
  • Third Party Management
  • Privacy Programs
  • None to minimal
  • Basic Requirements
  • Comprehensive Requirements
  • Extensive Requirements
Quick Facts
  • If an agency becomes aware of a breach of the security of the system, it must notify the Idaho attorney general within twenty-four (24) hours of the discovery.
  • There are specific considerations when determining if a breach is reportable.
  • Notifications may only be given by specific methods.
  • The law applies to any person or entity conducting business in the state who licenses or maintains personal information in course of business.
  • If a vendor is breached, they report it to the data owner. The data owner will be responsible to complete the reporting and consumer notification, but the vendor is still required to cooperate.
  • If your breach affects residents in the other states, you will need to notify those residents using that state’s rules.
STatutes and LAWS
  • ID Code § 28-51-103 Payment Card Receipts
  • ID Code § 28-51-104 Identity Theft – Definitions
  • ID Code § 28-51-105 Disclosure of Breach of Security of Computerized Personal Information by an Agency, Individual or a Commercial Entity
  • ID Code § 28-51-106 Procedures deemed in compliance with security breach requirements
  • ID Code § 28-51-107 Violations
  • ID Code § 28-51-103 Credit Report Protection Act
  • ID Code § 28-52-108 Protection of personal information
BAck to map