Data Protection Impact Assessment (DPIA) - Idaho

DATA PROTECTION IMPACT ASSESSMENT (DPIA)

State of Idaho

Organization: [________________________________]
Assessment Date: [__/__/____]
Assessment Reference No.: [________________________________]
Prepared By: [________________________________]
Department/Division: [________________________________]

1. Project Overview

Project Name / Identifier: [________________________________]

Project Owner: [________________________________]

Executive Sponsor: [________________________________]

Project Description:
[____________________________________________________________]
[____________________________________________________________]
[____________________________________________________________]

Business Justification:
[____________________________________________________________]
[____________________________________________________________]

Projected Launch Date: [__/__/____]

Project Phase: [____] (e.g., concept, design, development, deployment, ongoing operations)

Systems / Applications Involved:
| System Name | Vendor | Environment | Data Types |
|---|---|---|---|
| [________________________________] | [________________________________] | [____] | [________________________________] |
| [________________________________] | [________________________________] | [____] | [________________________________] |
| [________________________________] | [________________________________] | [____] | [________________________________] |

2. Scope of Processing

2.1 Data Subjects

☐ Customers / Consumers
☐ Employees / Job Applicants
☐ Vendors / Contractors
☐ End Users (App / Website)
☐ Idaho residents served by a public agency
☐ Minors (under 13)
☐ Minors (13-17)
☐ Other: [________________________________]

2.2 Categories of Personal Data Collected

Personal Information as Defined by Idaho Code § 28-51-104(4):

An Idaho resident's first name or first initial and last name in combination with any one or more of the following data elements (when not encrypted):

☐ Social Security number
☐ Driver's license number or Idaho identification card number
☐ Financial account number, or credit card or debit card number, in combination with any required security code, access code, or password that would permit access to a resident's financial account

Note: Idaho's definition of "personal information" is narrower than many states. It does not explicitly include medical information, health insurance information, biometric data, or username/password combinations in its breach notification statute. However, organizations should consider broader data protection as a best practice.

2.3 Additional Data Categories (Beyond Idaho Statutory Minimum)

While not specifically enumerated in Idaho Code § 28-51-104, the following categories should be documented for comprehensive risk assessment:

☐ Medical / health information
☐ Health insurance information
☐ Biometric identifiers (fingerprints, facial geometry, etc.)
☐ Geolocation data
☐ Username or email address with password or security question
☐ Tax identification numbers
☐ Passport numbers
☐ Student records
☐ Other: [________________________________]

2.4 Volume and Retention

• Estimated number of data subjects: [________________________________]
• Estimated records per year: [________________________________]
• Retention period: [________________________________]
• Deletion/destruction triggers: [________________________________]
• Legal hold procedures: [________________________________]

2.5 Processing Activities

☐ Collection
☐ Storage / Hosting
☐ Analysis / Profiling
☐ Automated decision-making
☐ Sharing with third parties
☐ Sale of data
☐ Cross-border transfer
☐ Other: [________________________________]

3. Legal Basis, Notices, and Rights

3.1 Idaho Data Protection Legal Landscape

Idaho does not have a comprehensive consumer privacy law. The state's primary data protection statute is the Idaho Identity Theft / Breach Notification Law (Idaho Code §§ 28-51-104 through 28-51-108), which establishes breach notification requirements but does not create broad consumer data rights.

3.2 Consumer Rights Under Idaho Law

• No general right to access personal information held by businesses
• No right to correction of personal information
• No right to deletion of personal information
• No right to opt out of data sales or targeted advertising
• No right to data portability
• No private right of action under breach notification statute (enforcement is by AG and through penalties)

3.3 Entity Classification Under Idaho Law

Idaho's breach notification statute applies differently based on entity type:

☐ State, city, or county agency -- Subject to 24-hour AG notification requirement
☐ Commercial entity -- May (but not required to) notify the AG
☐ Individual -- Same notification obligations as commercial entities
☐ Third-party data holder -- Must immediately notify the owner or licensee of the data

Entity Classification for This Assessment: [________________________________]

3.4 Applicable Federal Overlays

☐ HIPAA (health data)
☐ GLBA (financial data)
☐ FERPA (educational records)
☐ COPPA (children under 13)
☐ FCRA (consumer reports)
☐ Other: [________________________________]

4. Data Flow and Transfers

4.1 Data Flow Diagram

Data Sources:
| Source | Data Type | Collection Method | Legal Basis |
|---|---|---|---|
| [________________________________] | [________________________________] | [________________________________] | [________________________________] |
| [________________________________] | [________________________________] | [________________________________] | [________________________________] |
| [________________________________] | [________________________________] | [________________________________] | [________________________________] |

Data Storage Locations:
| System / Platform | Cloud Region / Data Center | Encryption at Rest | Encryption in Transit |
|---|---|---|---|
| [________________________________] | [________________________________] | ☐ Yes ☐ No | ☐ Yes ☐ No |
| [________________________________] | [________________________________] | ☐ Yes ☐ No | ☐ Yes ☐ No |

4.2 Third-Party Recipients

4.3 Cross-Border Transfers

☐ Data remains within the United States
☐ Data transferred internationally -- Transfer mechanism: [________________________________]

4.4 Access Controls

• Role-based access control (RBAC) groups: [________________________________]
• Least privilege principle: ☐ Implemented ☐ Not yet implemented
• Joiner/mover/leaver process: ☐ Documented ☐ Not documented
• Privileged access review cadence: [________________________________]

5. Security and Controls

5.1 Technical Controls

☐ Encryption at rest (standard: [________________________________])
☐ Encryption in transit (TLS version: [________________________________])
☐ Key management system: [________________________________]
☐ Network segmentation / micro-segmentation
☐ Endpoint detection and response (EDR)
☐ Logging and monitoring (SIEM: [________________________________])
☐ Data loss prevention (DLP)
☐ Automated backup and disaster recovery
☐ Vulnerability management and patch cadence: [________________________________]
☐ Intrusion detection / prevention systems
☐ Web application firewall (WAF)

Encryption Safe Harbor: Under Idaho Code § 28-51-104(1), a "breach of the security of the system" means the illegal acquisition of unencrypted computerized data. Data that is encrypted is excluded from the breach definition, providing a significant incentive for encryption at rest and in transit.

5.2 Organizational Controls

☐ Information security policy (last reviewed: [__/__/____])
☐ Privacy policy (last reviewed: [__/__/____])
☐ Acceptable use policy
☐ Employee training cadence: [________________________________]
☐ Vendor due diligence program
☐ Incident response plan (last tested: [__/__/____])
☐ Change management procedures
☐ Data classification framework

5.3 Authentication and Authorization

☐ Multi-factor authentication (MFA) for all privileged access
☐ Single sign-on (SSO) / SAML integration
☐ Session timeout policies: [________________________________]
☐ Privileged access management (PAM) solution: [________________________________]

6. Risk Assessment

6.1 Identified Risks

6.2 Risk Rating Matrix

6.3 Idaho-Specific Risk Considerations

• Investigation requirement: Idaho law requires a "reasonable and prompt investigation" to determine the likelihood of misuse before notification is required (Idaho Code § 28-51-105(1)). Notification is required only if misuse has occurred or is "reasonably likely to occur." Failure to conduct an adequate investigation could increase liability.
• 24-hour AG notification for public agencies: This is one of the shortest AG notification windows in the country. Public agencies must have pre-established processes.
• Third-party immediate notification: Third parties holding data must notify the owner or licensee immediately upon discovery.
• Intentional failure penalties: Up to $25,000 per breach for intentional failure to notify.

7. Mitigations and Residual Risk

7.1 Planned Mitigations

7.2 Validation and Testing

☐ Penetration testing completed (date: [__/__/____])
☐ Security audit completed (date: [__/__/____])
☐ Privacy-by-design review completed
☐ Tabletop incident response exercise conducted (date: [__/__/____])
☐ Vendor security assessments completed
☐ 24-hour AG notification drill (for public agencies) (date: [__/__/____])

7.3 Residual Risk Determination

Overall Residual Risk Rating: ☐ Low ☐ Medium ☐ High ☐ Critical

Decision: ☐ Accept ☐ Mitigate Further ☐ Transfer (Insurance) ☐ Avoid / Block Project

Justification: [____________________________________________________________]

8. Incident Response and Breach Notification

8.1 Idaho Breach Notification Requirements (Idaho Code § 28-51-105)

8.1.1 Triggering Event

A "breach of the security of the system" is the illegal acquisition of unencrypted computerized data that materially compromises the security, confidentiality, or integrity of personal information for one or more persons maintained by an agency, individual, or a commercial entity (Idaho Code § 28-51-104(1)).

Good-faith exception: Good-faith acquisition of personal information by an employee or agent of the entity is not a breach, provided the personal information is not used for an unauthorized purpose or subject to further unauthorized disclosure (Idaho Code § 28-51-104(1)).

8.1.2 Investigation Requirement

Upon becoming aware of a breach, the entity must conduct in good faith a reasonable and prompt investigation to determine the likelihood that personal information has been or will be misused. Notification is required only if the investigation determines that misuse has occurred or is reasonably likely to occur (Idaho Code § 28-51-105(1)).

8.1.3 Notification Requirements by Entity Type

8.1.4 Methods of Notification (Idaho Code § 28-51-106)

☐ Written notice to the most recent address in the entity's records
☐ Telephonic notice
☐ Electronic notice (if consistent with E-SIGN Act, 15 U.S.C. § 7001)
☐ Substitute notice -- available if:

• Cost would exceed $25,000, OR
• Affected class exceeds 50,000 residents, OR
• Entity does not have sufficient contact information

Substitute notice requires ALL of the following:

• Email notice (if email address is available)
• Conspicuous posting on the entity's website (if one is maintained)
• Notification to major statewide media

8.1.5 Law Enforcement Delay

Notice may be delayed if a law enforcement agency advises that notification will impede a criminal investigation. Notice must be provided as soon as the law enforcement agency advises that notification will no longer impede the investigation (Idaho Code § 28-51-105(4)).

8.1.6 Penalties (Idaho Code § 28-51-107)

8.1.7 Safe Harbor (Idaho Code § 28-51-108)

An entity that maintains its own notification procedures as part of an information security policy and is otherwise consistent with the timing requirements of the Idaho statute is deemed to be in compliance, provided the entity notifies affected Idaho residents in accordance with its policies in the event of a breach.

8.2 Internal Incident Response Procedures

Incident Response Team Lead: [________________________________]
Legal Counsel (ID-licensed): [________________________________]
AG Notification Contact (for public agencies): Idaho Office of the Attorney General, Consumer Protection Division

Response Timeline:
| Step | Action | Responsible Party | Target Timeframe |
|---|---|---|---|
| 1 | Identify and contain the incident | [________________________________] | Immediate |
| 2 | Determine if PI (as defined by Idaho Code § 28-51-104) is involved | [________________________________] | Within 12 hours |
| 3 | Conduct reasonable and prompt investigation | [________________________________] | Begin immediately |
| 4 | Determine likelihood of misuse | [________________________________] | Within 48-72 hours |
| 5 | If public agency: notify Idaho AG within 24 hours | [________________________________] | Within 24 hours of discovery |
| 6 | Engage Idaho-licensed legal counsel | [________________________________] | Within 24 hours |
| 7 | If third-party holder: immediately notify data owner | [________________________________] | Immediately |
| 8 | Prepare and send notification to affected individuals | [________________________________] | As soon as possible |
| 9 | Document incident, investigation, and remediation | [________________________________] | Ongoing |

9. State Law Overlay Summary -- Idaho

9.1 Key Compliance Obligations

9.2 Idaho-Specific Compliance Checklist

☐ Personal information as defined by Idaho Code § 28-51-104 has been identified and documented
☐ Entity type classification determined (public agency vs. commercial entity vs. third-party holder)
☐ Encryption implemented for all PI at rest and in transit (safe harbor)
☐ Incident response plan includes Idaho-specific investigation requirement
☐ Incident response plan includes 24-hour AG notification procedure (if public agency)
☐ Third-party vendor contracts require immediate notification to data owner upon breach
☐ Substitute notice procedures documented (if applicable)
☐ Information security policy maintained (for safe harbor under § 28-51-108)
☐ Employee training on breach identification and reporting is current
☐ COPPA compliance confirmed for any children's data
☐ Federal overlay requirements documented (HIPAA, GLBA, FERPA as applicable)
☐ Cyber liability insurance coverage reviewed

10. Approvals and Accountability

Next Review Date: [__/__/____]

11. Attachments

☐ Data flow diagrams and architecture documentation
☐ Records of processing activities (ROPA) entry
☐ Vendor list and data processing agreements
☐ Information security policy (for safe harbor compliance)
☐ Penetration test reports
☐ Incident response playbook (ID-specific)
☐ Breach notification letter template (ID-specific)
☐ AG notification template (for public agencies)
☐ Insurance policy summary (cyber liability)

Sources and References

• Idaho Legislature, Title 28 Chapter 51 (Identity Theft): https://legislature.idaho.gov/statutesrules/idstat/title28/t28ch51/
• Idaho Code § 28-51-104: https://legislature.idaho.gov/statutesrules/idstat/title28/t28ch51/sect28-51-104/
• Idaho Code § 28-51-105: https://legislature.idaho.gov/statutesrules/idstat/title28/t28ch51/sect28-51-105/
• Idaho Office of the Attorney General, Security Breaches: https://www.ag.idaho.gov/consumer-protection/security-breaches/
• Perkins Coie, Idaho Security Breach Notification Chart: https://perkinscoie.com/insights/publication/security-breach-notification-chart-idaho