Bill Description: Senate Bill 1066 would require individuals or businesses that experience a data breach to provide credit monitoring services at no cost to those affected.
Rating: -1
Does it give government any new, additional, or expanded power to prohibit, restrict, or regulate activities in the free market? Conversely, does it eliminate or reduce government intervention in the market?
Senate Bill 1066 would amend sections 28-51-104, 28-51-105, and 28-51-106, Idaho Code, to replace "personal information" with "personally identifiable information" (PII) and expand its definition.
The expanded definition would include things like email addresses, usernames, passwords, medical history, DNA profiles, and individual taxpayer identification numbers.
Existing law contains a number of provisions related to disclosing data breaches and imposing penalties for intentional disclosure. This bill would expand these existing provisions to the new elements it creates.
The bill would add a new provision requiring "an agency, individual, or commercial entity that has determined that the misuse of PII about an Idaho resident has occurred or is reasonably likely to occur" to "offer to provide credit monitoring services at no cost to the affected resident for a period of not less than thirty-six (36) months" and "provide information on how to enroll in the free credit monitoring service" and how to "place a credit freeze on such resident's credit file with credit reporting agencies."
It is one thing to impose these requirements on government agencies, but it is excessive to broadly impose such a requirement on individuals and businesses in the private sector.
Applying this law to individuals is troubling because it could potentially apply to someone who has data covered by the expanded definitions of PII collected for reasons unrelated to a commercial endeavor.
The expanded definitions of PII contained in this bill include a "username or email address, in combination with a password or security question that would permit access to an online account." The bill then would apply to online accounts of all sorts, including those that do not contain sensitive financial data. Under this definition, if someone's blog were hacked and the usernames and passwords of commenters on the blog were exposed, the blog owner could be required to pay for free credit monitoring services for every person registered on the site.
It is also worth noting here that most businesses already offer free credit monitoring when they're involved in a data breach as a way of reassuring their customers, so the free market has already largely dealt with this issue.
(-1)
