Idaho Data Breach Notification Laws: Reporting Rules & Timelines (2026)

Idaho's data breach notification law requires businesses, government agencies, and individuals to alert Idaho residents when their personal information has been compromised. Originally enacted in 2006 and last amended in 2014, the law stands out for its strict 24-hour agency reporting requirement to the Attorney General and its comparatively narrow definition of protected personal information.

For Idaho's broader privacy framework, see the parent guide to [Idaho Data Privacy Laws](/us-laws/data-privacy-laws/idaho-data-privacy-laws).

Who the Law Covers

Under Idaho Code § 28-51-105, the breach notification requirements apply to any city, county, or state agency, individual, or commercial entity that conducts business in Idaho and owns or licenses computerized data containing personal information about Idaho residents.

The law also reaches entities that maintain personal information on behalf of another organization but do not own the data. These third-party data holders must notify and cooperate with the data owner or licensee immediately after discovering a breach where misuse is reasonably likely.

Idaho Code § 28-51-104 defines a commercial entity broadly. It includes corporations, business trusts, estates, partnerships, limited partnerships, limited liability companies, associations, organizations, joint ventures, and any other legal entity, whether operating for profit or not.

What Qualifies as a Security Breach

Idaho defines a breach of the security of the system as the illegal acquisition of unencrypted computerized data that materially compromises the security, confidentiality, or integrity of personal information for one or more persons maintained by an agency, individual, or commercial entity.

Two key conditions must be met for a breach to trigger notification:

• The data must be unencrypted at the time of the illegal acquisition
• The compromise must be material, not trivial or incidental

The statute includes a good faith exception. If an employee or agent of the entity acquires personal information in good faith for a legitimate business purpose, and the information is not used for an unauthorized purpose or subjected to further unauthorized disclosure, that acquisition does not constitute a breach.

Idaho's Narrow Definition of Personal Information

One of the most notable aspects of Idaho's law is how narrowly it defines personal information. Under § 28-51-104, personal information means an Idaho resident's first name or first initial and last name combined with any one or more of the following data elements, when either the name or data elements are not encrypted:

• Social Security number
• Driver's license number or state identification card number
• Account number, credit card number, or debit card number, in combination with any required security code, access code, or password that would permit access to a resident's financial account

That is the complete list. Unlike many other states that have expanded their definitions over the years, Idaho's law does not cover:

• Biometric data (fingerprints, facial recognition, retina scans)
• Medical or health insurance information
• Passport numbers
• Taxpayer identification numbers
• Email addresses or online account credentials

Publicly available information that is lawfully accessible from federal, state, or local government records is also excluded from the definition.

This narrow scope means that a breach involving only medical records, biometric data, or email credentials would not trigger notification obligations under Idaho's current law.

Encryption Safe Harbor

Idaho's law provides a clear encryption safe harbor. The definitions of both personal information and breach of security specify that the data must be unencrypted to fall within the statute's scope.

If an organization maintains personal information in an encrypted format and the encryption keys are not compromised during a breach, no notification is required. The encrypted data simply falls outside the statutory definitions.

This safe harbor gives organizations a strong incentive to encrypt personal information at rest and in transit. Proper encryption effectively removes the data from Idaho's notification requirements entirely.

Notification Requirements and Timelines

Idaho's notification framework differs significantly depending on whether the breached entity is a government agency or a commercial entity.

Investigation First

When an entity becomes aware of a potential breach, it must first conduct a good faith, reasonable, and prompt investigation to determine whether personal information has been or will be misused.

Notification is required only if the investigation determines that misuse has occurred or is reasonably likely to occur. A breach that poses no reasonable likelihood of misuse does not trigger the notification requirement.

Notifying Affected Individuals

If misuse is determined to have occurred or is reasonably likely, the entity must notify affected Idaho residents as soon as possible. The law does not set a specific number of days. Instead, the timing standard is that notification must occur without unreasonable delay, consistent with:

• The legitimate needs of law enforcement
• Any measures necessary to determine the scope of the breach
• Any measures necessary to restore the reasonable integrity of the system

The 24-Hour Agency Reporting Rule

Idaho's most distinctive provision applies to government agencies. When a city, county, or state agency becomes aware of a breach, it must notify the Idaho Attorney General's Consumer Protection Division within 24 hours of discovery.

This 24-hour window is one of the shortest mandatory government reporting deadlines in the nation. It begins at the moment the agency discovers the breach, not when the investigation concludes.

State agencies face an additional requirement. They must also report the breach to the chief information officer within the Idaho Department of Administration, in accordance with policies established by the Idaho Technology Authority.

Commercial entities are not required to notify the Attorney General under Idaho law. They may do so voluntarily, but there is no mandatory AG reporting obligation for private sector breaches regardless of the number of affected individuals.

Methods of Notice

Under § 28-51-104, notice may be provided through any of the following methods:

• Written notice sent by mail
• Telephone notification
• Electronic notice (if the entity has a valid email address and the notice is consistent with federal E-SIGN Act requirements)

Substitute notice is available when the cost of direct notification exceeds $25,000, more than 50,000 Idaho residents must be notified, or the entity lacks sufficient contact information. Substitute notice requires all three of the following:

• Email notice to all affected individuals for whom the entity has an email address
• Conspicuous posting on the entity's website
• Notification through major statewide media

Law Enforcement Delay

Notification to individuals may be delayed if a law enforcement agency advises that notification would impede a criminal investigation. Once law enforcement determines that notification will no longer compromise the investigation, the entity must proceed with notification without unreasonable delay.

This provision does not affect the 24-hour AG notification requirement for government agencies. That deadline runs independently of any law enforcement delay.

Compliance Safe Harbors

Idaho Code § 28-51-106 provides two compliance safe harbors.

First, an entity that maintains its own notification procedures as part of an information security policy is deemed in compliance with Idaho's law, provided those procedures are consistent with the timing requirements of § 28-51-105 and the entity follows them when a breach occurs.

Second, an entity regulated by state or federal law that maintains breach notification procedures under the rules, regulations, or guidelines established by its primary regulator is deemed in compliance. This means that organizations following HIPAA, the Gramm-Leach-Bliley Act, or other federal breach notification frameworks can rely on those procedures to satisfy Idaho's requirements.

Penalties and Enforcement

Civil Penalties

Under Idaho Code § 28-51-107, any entity that intentionally fails to provide notice as required faces a civil fine of up to $25,000 per breach of the security of the system.

The word intentionally is significant. An entity that makes a good faith effort to comply but falls short may not face penalties. The fine targets deliberate failures to notify, not accidental delays or honest mistakes in determining whether notification was required.

Enforcement actions are brought by the entity's primary regulator. For most commercial entities, the primary regulator is the Idaho Attorney General. For entities regulated by federal agencies, the Department of Finance, or the Department of Insurance, those regulators handle enforcement.

Criminal Penalties for Government Employees

Idaho's law includes a criminal provision that specifically targets government employees. Under § 28-51-105, any governmental employee who intentionally discloses personal information that is not subject to disclosure under applicable law is guilty of a misdemeanor.

The penalties for this misdemeanor include:

• A fine of up to $2,000
• Imprisonment in a county jail for up to one year
• Or both

This criminal provision is separate from the civil fine structure and applies exclusively to government employees who deliberately share protected data.

No Private Right of Action

Idaho's breach notification law does not create a private right of action. Individual residents cannot sue entities directly under this statute for failure to notify. Enforcement is left entirely to primary regulators and the Attorney General.

Reporting a Breach to the Idaho Attorney General

Government agencies must report breaches to the Idaho Attorney General's Consumer Protection Division within 24 hours. Reports can be submitted by email to consumer_protection@ag.idaho.gov or by mail to:

Office of the Idaho Attorney General Consumer Protection Division P.O. Box 83720 Boise, ID 83720-0010

For questions about Idaho's breach notification law, contact Deputy Attorney General Corbin Schamber at 208-334-4135.

The Attorney General's office maintains a public registry of breach notifications received since January 1, 2021.

Pending Legislative Changes

Idaho's data breach notification law has not been significantly updated since 2014, but there have been recent efforts to modernize it.

In 2025, the Idaho Senate passed Senate Bill 1066 by a vote of 27-6. The bill would have expanded the definition of personal information to include passport numbers, email addresses, medical histories, biometric data, and taxpayer identification numbers. It also would have required entities to offer affected individuals 12 months of free credit monitoring after a breach.

S.B. 1066 passed the Senate and was referred to the House Business Committee, which recommended passage. However, the bill stalled on the House General Orders calendar and was not enacted before the session ended.

Separately, in 2026, House Bill 744 was introduced to address biometric privacy in Idaho, requiring informed consent before commercial collection of biometric identifiers. While not directly amending the breach notification statute, this bill signals growing legislative interest in expanding data protections beyond the current narrow framework.

As of March 2026, Idaho's breach notification law remains unchanged from its 2014 version.

More Idaho Laws

• Idaho Recording Laws
• Idaho Data Privacy Laws
• Idaho Whistleblower Laws
• Idaho Recording Laws
• Idaho Recording Laws
• Idaho Lemon Laws
• Idaho Data Privacy Laws
• Idaho Recording Laws

Sources and References

This article references Idaho statutes and official state government publications. For the full text of the breach notification law, visit the Idaho Legislature website. For guidance on reporting a breach or filing a complaint, visit the Idaho Attorney General's Security Breaches page.

This article provides general legal information about Idaho data breach notification laws. It is not legal advice. Consult a qualified attorney for guidance on your specific situation. Laws and regulations change frequently. Verify current requirements through official Idaho government sources.