The proposed bill introduces Chapter 67 to Title 41 of the Idaho Code, known as the "Insurance Data Security Act," which requires insurance licensees to implement comprehensive information security programs to safeguard nonpublic information. It outlines the necessary procedures for investigating and notifying relevant parties in the event of a cybersecurity incident, while providing key definitions such as "licensee," "cybersecurity event," and "nonpublic information." Licensees are required to maintain records of their information security programs for five years and develop incident response plans. The bill also grants the director of the insurance department the authority to examine and investigate licensees for compliance, establishes penalties for noncompliance, and emphasizes the confidentiality of information during investigations.

Furthermore, the bill specifies that there will be no private cause of action for violations of the act and includes provisions for certain exceptions based on employee count, revenue, and compliance with federal regulations like HIPAA. It ensures that documents obtained during investigations are not subject to public records requests or civil actions, while allowing for information sharing with regulatory and law enforcement agencies under confidentiality agreements. The act is set to take effect on July 1, 2025, with a compliance deadline for licensees by July 1, 2026, and includes a severability clause to maintain the enforceability of the remaining provisions if any part is found invalid.