Ask Reggi Your Question Now

Reggi is the free generative AI assistance for regulatory compliance

Can I use third-party customer service tools that collect personal information in Idaho? What are the requirements?

October 18, 2023

Using Third-Party Customer Service Tools that Collect Personal Information in Idaho

If you are using third-party customer service tools that collect personal information in Idaho, you must comply with the Disclosure of Breach of Security of Computerized Personal Information by an Agency, Individual or a Commercial Entity law ^[1.1].

According to the law, if you own or license computerized data that includes personal information about a resident of Idaho, you must conduct a reasonable and prompt investigation to determine the likelihood that personal information has been or will be misused if you become aware of a breach of the security of the system. If the investigation determines that the misuse of information about an Idaho resident has occurred or is reasonably likely to occur, you must give notice as soon as possible to the affected Idaho resident. Notice must be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement and consistent with any measures necessary to determine the scope of the breach, to identify the individuals affected, and to restore the reasonable integrity of the computerized data system.

Additionally, when an agency becomes aware of a breach of the security of the system, it shall, within twenty-four (24) hours of such discovery, notify the office of the Idaho attorney general.

Therefore, if you are using third-party customer service tools that collect personal information in Idaho, you must ensure that you have measures in place to detect and respond to any security breaches promptly. You must also have a plan in place to notify affected Idaho residents and the office of the Idaho attorney general in the event of a breach.

Exceptions to Notice and Opt-Out Requirements for Disclosure of Nonpublic Personal Financial Information

If you are collecting nonpublic personal financial information, you must comply with the Other Exceptions to Notice and Opt-Out Requirements for Disclosure of Nonpublic Personal Financial Information law ^[2.2].

The law provides exceptions to the opt-out requirements for disclosing nonpublic personal financial information. One of the exceptions is to protect the confidentiality or security of a licensee’s records pertaining to the consumer, service, product, or transaction.

Therefore, if you are collecting nonpublic personal financial information, you may disclose it without providing an opt-out option if it is necessary to protect the confidentiality or security of your records.

Procedures Deemed in Compliance with Security Breach Requirements

If you maintain your own notice procedures as part of an information security policy for the treatment of personal information, and your procedures are otherwise consistent with the timing requirements of section 28-51-105, Idaho Code, you are deemed to be in compliance with the notice requirements of section 28-51-105, Idaho Code, if you notify affected Idaho residents in accordance with your policies in the event of a breach of security of the system ^[1.2].

Conclusion

To summarize, if you are using third-party customer service tools that collect personal information in Idaho, you must comply with the Disclosure of Breach of Security of Computerized Personal Information by an Agency, Individual or a Commercial Entity law. If you are collecting nonpublic personal financial information, you must comply with the Other Exceptions to Notice and Opt-Out Requirements for Disclosure of Nonpublic Personal Financial Information law. If you maintain your own notice procedures as part of an information security policy for the treatment of personal information, and your procedures are otherwise consistent with the timing requirements of section 28-51-105, Idaho Code, you are deemed to be in compliance with the notice requirements of section 28-51-105, Idaho Code, if you notify affected Idaho residents in accordance with your policies in the event of a breach of security of the system.

Source(s):

Jurisdiction

Idaho

Privacy