The proposed bill introduces Chapter 67 to Title 41 of the Idaho Code, known as the "Insurance Data Security Act," which requires insurance licensees to implement comprehensive information security programs that are appropriate for their size, complexity, and the sensitivity of the nonpublic information they manage. The legislation defines key terms such as "cybersecurity event," "nonpublic information," and "licensee," and mandates that licensees promptly investigate cybersecurity incidents, maintain records for five years, and notify the director and affected consumers in a timely manner. The bill also grants the director the authority to examine and investigate licensees for compliance, while ensuring the confidentiality of shared documents and information.

Furthermore, the bill establishes that there is no private cause of action for violations and outlines civil penalties for non-compliance. It emphasizes that the provisions of this chapter will serve as the exclusive state standards for information security programs and cybersecurity events, overriding any conflicting laws. The director is authorized to create necessary rules based on the nature and complexity of the licensees, with the bill set to take effect on July 1, 2025, and a compliance deadline for licensees extended to July 1, 2026.