ID H0117

Requires insurance licensees to develop, implement, and maintain comprehensive written information security programs with administrative, technical, and physical safeguards to protect nonpublic consumer information, scaled to the licensee's size and complexity.

Mandates licensees notify the Director of Insurance within 10 business days of determining a cybersecurity event has occurred that affects 250 or more Idaho consumers or has reasonable likelihood of material harm; affected consumers must also be notified without unreasonable delay.

Exempts small licensees from the information security program requirement if they have fewer than 50 employees working 30+ hours weekly, less than $5 million in gross annual revenue, or less than $10 million in year-end total assets.

Establishes that violations may result in civil penalties under existing Idaho Code section 41-117, but explicitly creates no private cause of action for individuals to sue over violations.

Takes effect July 1, 2025, with licensees given until July 1, 2026, to comply with the information security program requirements; records must be maintained for 5 years.