Rating: 0

Bill Summary:

Senate Bill 1066 amends Idaho’s existing breach notification statutes (Idaho Code §§28-51-104 through 28-51-106) to expand the definition of “personal information” — now termed “personally identifiable information” (PII) — and update the procedures entities must follow in the event of a data breach. The expanded definition includes a wide range of data elements such as usernames and passwords, email addresses with login credentials, DNA profiles, medical history, biometric data, and taxpayer identification numbers.

The bill requires that any agency, individual, or commercial entity that determines PII has been misused — or is reasonably likely to be misused — must notify affected Idaho residents and offer at least 12 months of free credit monitoring. It also mandates that information be provided on how to enroll in this service and place a credit freeze with credit bureaus. Additionally, the bill establishes that intentional unauthorized disclosure of PII by a government employee is a misdemeanor offense. These requirements apply to both public and private entities, and the bill includes an emergency clause, taking effect July 1, 2025.

Reason for Rating:

S1066 strengthens protections for Idahoans by ensuring prompt breach notifications and offering meaningful remedies like credit monitoring. These measures align with the Idaho Republican Party Platform’s emphasis on individual privacy, personal responsibility, and transparency. However, the bill also imposes new regulatory burdens on private individuals and businesses — including non-commercial operators of digital platforms — who could be required to offer costly remedies even in low-risk or minor data breaches. This broad application, combined with the potential for overregulation, raises concerns under the platform’s principles of free enterprise and limited government intervention. Because the bill promotes consumer protection while imposing sweeping obligations on the private sector, it is best rated as neutral.