The proposed bill introduces Chapter 67 to Title 41 of the Idaho Code, known as the "Insurance Data Security Act," which requires insurance licensees to implement comprehensive information security programs to safeguard nonpublic information. It defines essential terms such as "licensee," "cybersecurity event," and "nonpublic information," and mandates that licensees notify the director of any significant cybersecurity events within ten business days. Furthermore, the bill requires licensees to maintain records of such events for a minimum of five years and to develop incident response plans to address potential breaches.

The legislation grants the director the authority to examine and investigate licensees for compliance with the new security requirements, while ensuring the confidentiality of shared documents and information. It specifies that these materials are not subject to public records requests or civil discovery, although the director can share information with other regulatory and law enforcement agencies under confidentiality agreements. The bill also includes exceptions for certain licensees based on employee count and revenue, clarifies that there is no private cause of action for violations, and establishes civil penalties for noncompliance. The act is set to take effect on July 1, 2025, with a compliance deadline for licensees extended to July 1, 2026.