Can I ignore my obligations as a service provider with access to personal information in Idaho? What are the requirements?

As a service provider with access to personal information in Idaho, you cannot ignore your obligations. The Idaho law requires that you provide notice to individuals about your privacy practices and obtain their consent before collecting, using, or disclosing their personal information. Additionally, you must take reasonable steps to protect the security of the personal information you collect and maintain ^[3.1].

Requirements for Service Providers with Access to Personal Information in Idaho

According to IDAPA 18.01.01.450 ^[3.1], service providers with access to personal information in Idaho must:

• Provide initial notice to individuals in accordance with Section 100.
• Enter into a contractual agreement with the third party that prohibits the third party from disclosing or using the information other than to carry out the purposes for which the licensee disclosed the information, including use under an exception in Section 451 or 452 in the ordinary course of business to carry out those purposes.

Public Access to Provider Information

According to IDST 54-4603 ^[1.1], each board must make certain information pertaining to each provider accessible to the public on the board’s website, including licensure status, description or documentation of any final board disciplinary actions that are considered to be public, and other public information at the discretion of the board.

Limits on Redisclosure and Reuse of Nonpublic Personal Financial Information

According to IDAPA 18.01.01.401 ^[3.4], if a licensee discloses nonpublic personal financial information to a nonaffiliated third party, the third party may disclose that information only to the licensee’s affiliates, to the third party’s affiliates, or to any other person if the disclosure would be lawful if the licensee made it directly to that person.

Access by Persons to Information Pertaining to Them

According to IDAPA 09.01.08.11 ^[4.1], individuals or employers may access employment security information pertaining to them, subject to the procedures and restrictions contained in the Idaho Public Records Act and reimbursement provisions in Section 020 of these rules.

Exceptions to Notice and Opt Out Requirements for Disclosure of Nonpublic Personal Financial Information for Processing and Servicing Transactions

According to IDAPA 18.01.01.451 ^[3.3], the requirements for initial notice, opt-out, and service providers and joint marketing do not apply if the licensee discloses nonpublic personal financial information as necessary to effect, administer or enforce a transaction that a consumer requests or authorizes, or in connection with servicing or processing an insurance product or service that a consumer requests or authorizes, maintaining or servicing the consumer’s account with a licensee, or with another entity as part of a private label credit card program or other extension of credit on behalf of such entity, a proposed or actual securitization, secondary market sale (including sales of servicing rights) or similar transaction related to a transaction of the consumer, or reinsurance or stop loss or excess loss insurance.

Procedures Deemed in Compliance with Security Breach Requirements

An agency, individual, or commercial entity that maintains its own notice procedures as part of an information security policy for the treatment of personal information, and whose procedures are otherwise consistent with the timing requirements of section 28-51-105, Idaho Code, is deemed to be in compliance with the notice requirements of section 28-51-105, Idaho Code, if the agency, individual, or the commercial entity notifies affected Idaho residents in accordance with its policies in the event of a breach of security of the system ^[2.1].

Other Exceptions to Notice and Opt Out Requirements for Disclosure of Nonpublic Personal Financial Information

The requirements for initial notice to consumers, opt-out, and service providers and joint marketing do not apply when a licensee discloses nonpublic personal financial information with the consent or at the direction of the consumer, to protect the confidentiality or security of a licensee’s records pertaining to the consumer, service, product or transaction, to protect against or prevent actual or potential fraud or unauthorized transactions, for prescribed institutional risk control or for resolving consumer disputes or inquiries, to persons holding a legal or beneficial interest relating to the consumer, or to persons acting in a fiduciary or representative capacity on behalf of the consumer, among other exceptions ^[3.2].

Disclosure of Breach of Security of Computerized Personal Information by an Agency, Individual, or a Commercial Entity

A city, county, or state agency, individual, or a commercial entity that conducts business in Idaho and that owns or licenses computerized data that includes personal information about a resident of Idaho shall, when it becomes aware of a breach of the security of the system, conduct in good faith a reasonable and prompt investigation to determine the likelihood that personal information has been or will be misused. If the investigation determines that the misuse of information about an Idaho resident has occurred or is reasonably likely to occur, the agency, individual, or the commercial entity shall give notice as soon as possible to the affected Idaho resident. Notice must be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement and consistent with any measures necessary to determine the scope of the breach, to identify the individuals affected, and to restore the reasonable integrity of the computerized data system ^[2.2].

Therefore, you cannot ignore your obligations as a service provider with access to personal information in Idaho. You must provide notice to individuals about your privacy practices and obtain their consent before collecting, using, or disclosing their personal information. Additionally, you must take reasonable steps to protect the security of the personal information you collect and maintain. There are exceptions to notice and opt-out requirements for disclosure of nonpublic personal financial information, and procedures deemed in compliance with security breach requirements.

Source(s):

• [1.1] PUBLIC ACCESS TO PROVIDER INFORMATION.
• [2.1] PROCEDURES DEEMED IN COMPLIANCE WITH SECURITY BREACH REQUIREMENTS.
• [3.1] EXCEPTION TO OPT OUT REQUIREMENTS FOR DISCLOSURE OF NONPUBLIC PERSONAL FINANCIAL INFORMATION FOR SERVICE PROVIDERS AND JOINT MARKETING.
• [3.2] OTHER EXCEPTIONS TO NOTICE AND OPT OUT REQUIREMENTS FOR DISCLOSURE OF NONPUBLIC PERSONAL FINANCIAL INFORMATION.
• [4.1] ACCESS BY PERSONS TO INFORMATION PERTAINING TO THEM.
• [3.3] EXCEPTIONS TO NOTICE AND OPT OUT REQUIREMENTS FOR DISCLOSURE OF NONPUBLIC PERSONAL FINANCIAL INFORMATION FOR PROCESSING AND SERVICING TRANSACTIONS.
• [2.2] DISCLOSURE OF BREACH OF SECURITY OF COMPUTERIZED PERSONAL INFORMATION BY AN AGENCY, INDIVIDUAL OR A COMMERCIAL ENTITY.
• [3.4] LIMITS ON REDISCLOSURE AND REUSE OF NONPUBLIC PERSONAL FINANCIAL INFORMATION.

Jurisdiction

Idaho

• Privacy