Ask Reggi Your Question Now
Can I avoid having a data breach response plan in Idaho? What are the requirements?
Can I avoid having a data breach response plan in Idaho? What are the requirements?
To answer your question, Idaho law requires that any agency, individual, or commercial entity that owns or licenses computerized data that includes personal information about a resident of Idaho must have a data breach response plan in place [1.2]. However, if you are an agency, individual, or commercial entity that maintains its own notice procedures as part of an information security policy for the treatment of personal information, and whose procedures are otherwise consistent with the timing requirements of section 28-51-105, Idaho Code, you are deemed to be in compliance with the notice requirements of section 28-51-105, Idaho Code, if you notify affected Idaho residents in accordance with your policies in the event of a breach of security of the system [1.2].
It is important to note that private emergency response plans may be prepared for any facility or specific set of conditions, but they must be approved by the local emergency response authority or the military division unless the plan meets certain requirements [2.1].
Therefore, while there are certain circumstances where you may be deemed to be in compliance with the notice requirements without a specific data breach response plan, it is highly recommended to have one in place to ensure a timely and effective response to a breach and to comply with Idaho law.
In summary, a data breach response plan is required by Idaho law for any agency, individual, or commercial entity that owns or licenses computerized data that includes personal information about a resident of Idaho [1.2]. While there are certain circumstances where you may be deemed to be in compliance with the notice requirements without a specific data breach response plan, it is highly recommended to have one in place to ensure a timely and effective response to a breach and to comply with Idaho law.
Source(s):
- [2.1] PRIVATE EMERGENCY RESPONSE PLAN APPROVAL.
- [1.2] DISCLOSURE OF BREACH OF SECURITY OF COMPUTERIZED PERSONAL INFORMATION BY AN AGENCY, INDIVIDUAL OR A COMMERCIAL ENTITY.
Jurisdiction
Idaho