The proposed bill introduces Chapter 67 to Title 41 of the Idaho Code, known as the "Insurance Data Security Act," which requires insurance licensees to implement comprehensive information security programs to safeguard nonpublic information. It defines key terms such as "licensee," "cybersecurity event," and "nonpublic information," and mandates that licensees maintain records of their security programs for five years and develop incident response plans for cybersecurity incidents. The bill also empowers the director of the insurance department to examine and investigate licensees for compliance, establishes penalties for noncompliance, and emphasizes the confidentiality of information shared during investigations.

Furthermore, the bill specifies that there is no private cause of action for violations and outlines exceptions for certain licensees based on employee count, revenue, and adherence to federal regulations like HIPAA. It asserts that the provisions of this chapter will serve as the exclusive state standards for information security, with the director authorized to create implementing rules. The legislation declares an emergency, sets an effective date of July 1, 2025, and establishes a compliance deadline for licensees by July 1, 2026.