Bill Description: House Bill 147 would give the Department of Insurance new powers to regulate and set standards for how insurers manage data security.
Amendment Analysis: The amendment to House Bill 147 does not change the rating, but it has resulted in some changes to the analysis. Specifically, an earlier example involving text messaging is no longer applicable to the amended bill.
Analyst Note: While it is laudable and desirable to prevent data breaches, this legislation represents a centralized, government-driven solution that may actually lead to the very data breaches that the legislation seeks to prevent.
Most businesses handle private consumer data. It is up to those businesses to deploy the latest security practices, rather than depend on the government to create the roadmap. By letting the market develop best practices, consumers can shop those businesses that offer superior data security protection, instead of being left with a one-size fits all approach that depends on a state agency or legislative action for updates.
Does it create, expand, or enlarge any agency, board, program, function, or activity of government? Conversely, does it eliminate or curtail the size or scope of government?
House Bill 147 creates Chapter 66, Title 41, the "Insurance Data Security Act," which would give the Department of Insurance new powers to instruct insurers on the sum total of how they handle data security.
Does it transfer a function of the private sector to the government? Examples include government ownership or control of any providers of goods or services such as the Land Board’s purchase of a self-storage facility, mandatory emissions testing, or pre-kindergarten. Conversely, does it eliminate a function of government or return a function of government to the private sector?
Presently, it is up to the market to solve problems relative to data security. This bill takes those decisions away from the private sector and makes most of the decisions a responsibility of the Department of Insurance.
Does it in any way restrict public access to information related to government activity or otherwise compromise government transparency or accountability? Conversely, does it increase public access to information related to government activity or increase government transparency or accountability?
Under the proposed new Section 41-6607, Idaho Code, the legislation would exempt from public scrutiny many of the documents obtained under the Department of Insurance’s new authorities, although the legislation permits the director to share such information with the National Association of Insurance Commissioners and its affiliates.
Does it violate the principle of equal protection under the law? Examples include laws which discriminate or differentiate based on age, gender, or religion or which apply laws, regulations, rules, or penalties differently based on such characteristics. Conversely, does it restore or protect the principle of equal protection under the law?
The proposed statute applies to licensees except for those with 50 or fewer employees and independent contractors (see proposed Section 41-6608). It is unclear why data security would be manifestly different for businesses based on the number of employees, but that is what the legislation contemplates.