This bill amends several sections of the Idaho Code related to identity theft, specifically focusing on the definitions and procedures surrounding the breach of security of computerized personally identifiable information (PII). Key changes include the introduction of new definitions, such as "encryption" and a more detailed description of what constitutes a "breach of the security of the system." The bill clarifies that a breach does not include data acquired from sources outside the systems maintained by the agency, individual, or commercial entity. Additionally, it updates the terminology from "personal information" to "personally identifiable information" and expands the definition of PII to include various data elements, such as passport numbers and medical history.

Furthermore, the bill outlines the responsibilities of agencies, individuals, and commercial entities in the event of a data breach, including the requirement to notify affected residents and offer credit monitoring services. It establishes compliance procedures for those maintaining their own security policies and allows for civil actions by primary regulators against entities that fail to provide required notices. The bill declares an emergency and sets an effective date of July 1, 2025, for its provisions.