This bill amends several sections of the Idaho Code related to identity theft, specifically focusing on the definitions and procedures surrounding the breach of security of computerized personally identifiable information (PII). Key changes include the revision of the definition of "commercial entity" to clarify its scope, the update of terminology from "personal information" to "personally identifiable information" (PII), and the inclusion of additional data elements that constitute PII, such as passport numbers, usernames, and medical history. The bill also specifies that agencies, individuals, or commercial entities must notify affected residents promptly in the event of a data breach and outlines the conditions under which notice may be delayed.

Furthermore, the bill introduces new requirements for entities that determine a misuse of PII has occurred, mandating them to offer credit monitoring services at no cost for at least 36 months and provide information on how affected residents can enroll in these services. It also establishes that entities with their own notice procedures that align with the law's requirements will be deemed compliant. The bill declares an emergency, making it effective from July 1, 2025.