This bill amends several sections of the Idaho Code related to identity theft, specifically focusing on the definitions and procedures surrounding the breach of security of computerized personally identifiable information (PII). Key changes include the clarification of terms such as "agency," "breach of the security of the system," and "personally identifiable information," with new definitions and technical corrections added. Notably, the bill specifies that a breach does not include data acquired from sources outside the systems maintained by the agency, individual, or commercial entity. Additionally, it introduces a definition for "encryption" and expands the definition of PII to include more data elements, such as passport numbers and biometric data.

The bill also revises the notification requirements for agencies, individuals, or commercial entities in the event of a data breach. It mandates that they conduct a prompt investigation and notify affected residents as soon as possible if misuse of PII is likely. Furthermore, if misuse is determined, they must offer credit monitoring services for at least twelve months. The bill establishes compliance procedures for entities maintaining their own notice policies and outlines penalties for failing to provide required notifications, including fines for intentional non-compliance. An emergency clause is included, making the act effective on July 1, 2025.