This bill amends several sections of the Idaho Code related to identity theft and the security of personally identifiable information (PII). Key changes include the revision of definitions, such as the clarification of what constitutes a "breach of the security of the system," which now specifies that such a breach does not include data acquired from sources outside the agency, individual, or commercial entity's systems. The term "personal information" is replaced with "personally identifiable information" (PII), which is further defined to include various data elements that, when combined with a resident's name, can identify them. Additionally, the bill introduces a new requirement for entities that experience a breach to offer credit monitoring services to affected residents for at least twelve months.

The bill also outlines the responsibilities of agencies, individuals, and commercial entities in the event of a data breach, including the obligation to notify affected residents and the Idaho Attorney General promptly. It establishes compliance procedures for those with existing security policies and allows for civil actions against entities that fail to provide required notifications. The bill declares an emergency, making it effective from July 1, 2025.