4.30pp Data Protection and Classification - Standard

Standard Owner

Information Technology Department – Data & GIS Division; City Clerk

Legal References

Idaho Public Records Act; Idaho Data Breach Notification Law; HIPAA Privacy and Security Rules (where applicable); FBI CJIS Security Policy (where applicable); Payment Card Industry Data Security Standard (PCI DSS) (where applicable); NIST SP 800-53 and related NIST guidance; other applicable federal, state, or contractual requirements.

Purpose

This standard defines how City of Boise information is classified and protected throughout its lifecycle. The city’s classification framework provides a common language for staff and establishes minimum protection expectations by Data Confidentiality & Sensitivity and Data Criticality Level. Data Criticality ensures the city identifies the information most essential to delivering services and meeting legal obligations, so it can be prioritized for stewardship, continuity planning, backup and recovery, and resilience investments. Data Confidentiality & Sensitivity ensures the city applies consistent handling and protection requirements based on sensitivity, so information is appropriately accessed, stored, transmitted, and shared. This standard works with the Information Security Standard to ensure both information and systems are protected.

Scope

This standard applies to all information created, received, stored, or managed by the City of Boise, in any form — paper, electronic, audio, video, or verbal. It applies to all employees, elected officials, contractors, vendors, and volunteers with access to city information.

Definitions

• Information Asset: A defined collection of information managed as a unit (e.g., an application dataset, shared drive site, system module, database, or department repository). Information Assets may include structured or unstructured information, in any medium (e.g., electronic, paper, audio, video, or verbal).
• System of Record / Authoritative Source: The designated system or repository where the official version of an information asset is maintained.
• Classification: The assigned category or set of categories used to describe an information asset so it can be consistently managed. Classification communicates how information should be handled and protected, and may include multiple facets (e.g., sensitivity, data criticality, record type) depending on the applicable city framework.
• Data Confidentiality & Sensitivity Level: A classification facet describing sensitivity and handling requirements for information (Shared, Restricted, Private).
• Data Criticality Level: A classification facet describing the impact of a data asset to city operations, continuity, and legal/accountability needs (Low, Medium, High).
• Record Type: Records Management classification used to determine retention and disposition. (Record type is not covered by this standard.)

Data Roles Overview

For the purposes of this standard, Data Owners are business leaders accountable for the information assets created and used by their business processes; Data Custodians are staff (often IT or records staff) who operate the systems and repositories where information is stored; and Data Users are staff who access and use information to perform their work. Departments must ensure these roles are clearly assigned for their major Information Assets, even if individuals hold more than one role.

Responsibilities

Department Data Owners

• Determine and document the Classification for major Information Assets, including Data Confidentiality & Sensitivity and Data Criticality Levels, and coordinate with Records Management policies and schedules as needed.
• Approve access requests for information assets designated as Restricted and Private.
• Review and update classifications when business processes, laws, or risks change.
• Are typically the business owners or process owners for key operational processes; they are considered the data owners for the information those processes create and use.

Department Data Custodians (Department Records Coordinators, Records Management, or System Administrators)

• Implement and maintain controls consistent with the assigned Classification (including Data Confidentiality & Sensitivity and Data Criticality Levels).
• Ensure information is stored and handled according to this standard.
• Manage user access and permissions in the systems they administer based on Data Owner direction.
• Maintain a department-level inventory of information assets and their classifications, and provide updates to enterprise inventories maintained by IT.
• Implement backup, recovery, and availability controls consistent with the Data Criticality level.

Data Users (All city employees and contractors)

• Handle information according to its classification.
• Follow this standard and guidelines set by the data owners when accessing, storing, transmitting, or sharing information.
• Report suspected breaches, mishandling, or misclassification.

Information Technology – Data & GIS

• Serve as the program lead for this standard and for the city’s information classification framework.
• Maintain this standard and coordinate updates with Legal, the City Clerk, IT Security, and the Data and AI Working Group.
• Maintain citywide inventories of information assets and their classifications, based on inputs from departments.
• Support departments in applying this standard to new systems, integrations, and data projects.
• Provide staff expertise and leadership to the Data and AI Working Group.

Information Technology – App Services

• Implement and maintain application configurations that support this standard, including access controls, secure sharing settings, and audit/logging features where available.

• Partner with Department Data Owners, IT Security, and Infrastructure to ensure applications handling Restricted/Private or High Data Criticality information are appropriately configured, changed, and supported for continuity and incident response.

Information Technology – Security

• Define and maintains technical security standards (for example, encryption, access control, audit logs, and backup requirements) that support this standard and the Information Security Standard.
• Implement and operate shared security controls on city-managed systems and networks, including monitoring and incident response processes.
• Advise departments on secure configuration and use of systems and cloud services in alignment with data classification levels.
• Support departments and the Data and AI Working Group in assessing technical risks for new systems and changes that affect Restricted or Private data.

Information Technology - Infrastructure

• Implement and maintain foundational security controls (e.g., firewalls, endpoint protections, identity services, and encryption technologies).
• Support access management and technical enforcement mechanisms aligned with Data Confidentiality & Sensitivity requirements.
• Support incident response activities as directed by IT Security.

City Clerk

• Ensure retention, archiving, and disposition; Follow the Records Management and Public Records Policy and applicable law.
• Advise on how Classification facets interact with records requirements, including coordination for public records requests and exemptions under the Idaho Public Records Act.

Legal - Privacy Officer

• Ensure compliance with privacy laws and applicable legal requirements for sensitive information.
• Review or advise on classification and handling expectations for personal and sensitive data as needed.

Data and AI Working Group

• Develop and maintains this standard and related guidance, with IT Data & GIS serving as the lead and coordinating with Legal and the City Clerk.
• Provide guidance, training, and resources on data classification and protection.
• Identify citywide data and AI-related protection issues and recommends improvements, priorities, and supporting tools.
• Coordinate with departments, Information Security, the City Clerk, and Legal to support implementation of classification and protection rules.
• Include representatives from executive leadership, Information Technology, Organizational Effectiveness, Legal/Privacy, City Clerk, Risk & Safety, and rotating department data or information security leads.

Classification Overview

The city classifies information using multiple facets so it can be consistently managed across the information lifecycle. For this standard, the two primary facets are:

1. Data Criticality Level (High, Medium, Low) — communicates operational importance and informs stewardship, continuity planning, and recovery priorities.
2. Data Confidentiality & Sensitivity Level (Shared, Restricted, Private) — communicates sensitivity and minimum handling/protection expectations.

These facets are independent. An information asset may be any Data Criticality Level at any Data Confidentiality & Sensitivity Level.

Record Type is a separate classification facet governed by the city’s Records Management framework and is not defined in this standard.

Departments ensure major Information Assets have an assigned Classification (including Data Criticality Level and Data Confidentiality & Sensitivity Level at minimum) and that the Classification is documented in the asset inventory and applied through appropriate controls and handling practices.

Data Formats

City information may be stored and managed in structured or unstructured formats. Classification applies to both formats and is based on the information’s content and use—not where it lives or how it is formatted. Both structured and unstructured information may be considered city records and are subject to applicable Records Management and public records requirements.

• Structured information: Organized using defined fields or schemas (e.g., databases, enterprise systems, forms, spreadsheets used as systems of record).
• Unstructured information: Not organized in predefined fields (e.g., documents (including paper), emails, chat messages, PDFs, images, audio/video, scanned files, notes).

Departments must ensure that major Information Assets are identified and classified regardless of format, including information stored in shared drives, collaboration platforms, email, line-of-business applications, and paper records.

Data Criticality Level

Data Criticality Level is a classification facet describing how critical an Information Asset is to the city’s ability to operate, meet legal obligations, deliver services, and recover from disruptions. Data Criticality is independent of Data Confidentiality & Sensitivity. It informs stewardship expectations, continuity planning, and backup/recovery prioritization, including restoration objectives for High Criticality assets. Data Criticality does not determine whether information must be released under the Idaho Public Records Act; public records release decisions are made under law and city policy.

High Criticality

• Definition: Essential to core operations, public safety, legal compliance, or service continuity.
• Examples: Budget authority records, adopted ordinances, permits and licensing systems of record, payroll and timekeeping systems, emergency operations plans, infrastructure asset records, official GIS systems of record.
• Implications: Highest priority for stewardship, resiliency, backup/recovery, auditability, and disaster recovery planning. High Criticality Information Assets should be clearly tied to an authoritative System of Record and have defined recovery expectations.

Medium Criticality

• Definition: Important for efficient operations, regulatory support, or historical accountability.
• Examples: Project files, internal policies and procedures, contract working files, operational reports, shared departmental documentation.
• Implications: Regular stewardship and backups; continuity and recovery expectations defined based on operational impact, dependencies, and practical restoration needs.

 Low Criticality

• Definition: Limited operational or legal impact if unavailable; primarily convenience or short-term reference.
• Examples: Draft working notes, routine correspondence, informal reference materials.
• Implications: Lower continuity/recovery priority, while still meeting retention obligations and applicable records requirements.

Data Confidentiality & Sensitivity Level

Data Confidentiality and Sensitivity Level is a classification facet describing sensitivity and handling requirements of the information. The city uses three levels: Shared, Restricted, and Private. Shared is the default unless an asset meets the criteria for Restricted or Private.

Shared

• Definition: Information suitable for broad internal use and, when appropriate and consistent with law, broad external release.
• Examples: Published reports, policies, press releases, public-facing web content, approved open data, public meeting materials.

Restricted

• Definition: Non-public information that should not be broadly shared; unauthorized access or disclosure could cause operational disruption, reputational harm, or other material impacts.
• Examples: Internal memos, draft documents, non-public contract materials, internal procedures, system configuration details, non-public contact lists.

Private

• Definition: Legally protected, personally identifiable, or highly sensitive information; unauthorized access or disclosure could cause significant harm to individuals or the city.
• Examples: Social Security numbers, driver’s license/passport numbers, financial account information, protected health information (PHI), personnel investigations, CJIS-covered information, credentials/secrets.

If uncertain, treat the information as Restricted and consult IT Security and/or Legal/Privacy Officer.

Special Categories of Data

Special Categories are types of information governed or shaped by specific laws, regulations, contractual obligations, or industry standards. In most cases, Special Categories will be designated Private (and occasionally Restricted) and must follow the handling requirements for that Data Confidentiality & Sensitivity, plus any applicable external requirements. Special Categories include:

• Criminal justice information (CJIS)
• Protected health information (HIPAA)
• Payment card data (PCI DSS)
• Sensitive personal information as defined by law (including breach-notification triggers)
• Other regulated or contractually restricted datasets

Special Categories do not replace classification; they inform the appropriate Data Confidentiality & Sensitivity and handling requirements.

Personally Identifiable Information (PII)

Definition: Information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information.

Sources: Key references include:

• National Institute of Standards and Technology (NIST) guidance (for example, NIST SP 800-122 and NIST SP 800-53), and
• Idaho Data Breach Notification Law, which defines “computerized personal information” and requires notification when certain combinations (such as name plus Social Security number or account/credit/debit card number with security code or password) are breached.

Examples: This includes direct identifiers (for example, name, Social Security number) and combinations of indirect identifiers (for example, date of birth plus ZIP code) that make it possible to identify a specific person.

Handling Notes

• When in doubt whether data qualifies as PII, treat it as PII and consult the Privacy Officer or Legal.
• When information could become PII when combined with other data, classify and handle it at the higher sensitivity level.

Payment Card Industry (PCI) Data

Definition: Any data that can be used to process, store, or transmit payment card transactions.

Source: Payment Card Industry Data Security Standard (PCI DSS), as maintained by the PCI Security Standards Council.

Examples:  This includes the full Primary Account Number (PAN) and associated data that could be used for fraud or unauthorized transactions. Includes card number (PAN), cardholder name, expiration date, service code, CVV/CVC codes, PINs and PIN blocks, and track data.

Handling Notes

• Systems and vendors that handle PCI data must comply with PCI DSS in addition to city standards.
• Restrict handling to approved, PCI-compliant processes and systems.

Criminal Justice Information (CJI)

Definition: Information collected by criminal justice agencies that is needed for the performance of their legally authorized duties.

Source: FBI Criminal Justice Information Services (CJIS) Security Policy.

Examples: This includes, but is not limited to, criminal history record information, arrest records, warrants, and offender management data.

Handling Notes

• Departments handling CJI must comply with the FBI CJIS Security Policy, including required personnel screening, access controls, transmission security, and audit logging.
• Consult with the city’s CJIS Information Security Officer (ISO) or equivalent role before implementing new systems or changes involving CJI.

Protected Health Information (PHI)

Definition: Individually identifiable health information that relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or payment for the provision of health care, and that identifies the individual or could reasonably be used to identify the individual.

Source: Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule and Security Rule.

Examples: Medical records, billing info, health insurance details, past/present/future health condition, health care provided, payment for health care.

Handling Notes

• Departments handling PHI are responsible for implementing HIPAA Privacy and Security Rule safeguards, including administrative, physical, and technical controls.

Sensitive Personal Information

Definition: Personal or HR-related information that is not explicitly defined as PII, PHI, CJI, or PCI data in law or regulation, but that could cause significant harm, embarrassment, or loss of trust if improperly disclosed. This often includes detailed personnel and employment-related information.

Source: No single external statute; guided by general privacy principles, employment law, and city HR policies.

Examples: Employee evaluations, disciplinary records, grievances, background check reports, detailed payroll and benefits information, and other HR data that affects an individual’s employment relationship or reputation.

Handling Notes

• Treat Sensitive Personal Information as Restricted or Private by default.
• Limit access to those with a clear business need.
• Coordinate classification and handling with HR, the Privacy Officer, and Legal when needed.

Critical Infrastructure Information (CII)

Definition: Information related to systems, assets, and functions vital to the City of Boise, where disruption, compromise, or misuse could have significant effects on public safety, public health, or economic security. This includes both physical and cyber components of critical infrastructure.

Source: Informed by federal critical infrastructure and Protected Critical Infrastructure Information (PCII) concepts, including Department of Homeland Security (DHS) guidance, adapted to the City of Boise context.

Examples

• Water renewal systems: physical buildings and infrastructure, control systems, operational diagrams, drawings and specifications, risk analyses, SCADA systems, and contingency planning documents.
• Airport systems: security protocols, infrastructure maps, operational diagrams, and vulnerability assessments required by FAA/TSA or other regulators.
• Cyber systems: network configurations, vulnerability assessments, penetration test results, and cybersecurity strategies.
• City facilities: diagrams and specifications of police stations, fire stations, City Hall, Emergency Operations Centers, and other critical facilities.
• GIS and asset management systems: maps, datasets, and applications that reveal infrastructure vulnerabilities, system interdependencies, or future expansion plans.
• Strategy and planning documentation: analyses or prioritization of infrastructure investments, vulnerabilities, risk assessments, or future investment needs.
• Safety and security recordings: CCTV footage, audio, video, or other recordings where unauthorized access could compromise safety or regulatory compliance.

Handling Notes

• Treat CII as Private by default.
• Coordinate with IT Information Security when classifying or sharing CII, especially when involving external parties or vendors.
• Consult the Data and AI Working Group for borderline cases or when determining whether new types of information should be treated as CII.

Other Statutory or Contractual Requirements

Definition: Some data may be subject to additional statutory, regulatory, or contractual requirements (for example, grant conditions, materials covered under non-disclosure agreements, or specific state/federal program rules) that impose stricter handling, retention, or reporting obligations.

Handling Notes

• Departments are responsible for identifying any such requirements that apply to their programs, with support from Legal and the Privacy Officer.
• Where external requirements are stricter than this standard, departments must follow the stricter requirements.

Relationship to Records Management and Public Records

This standard defines how city information is classified for the purpose of protecting it (for example, who can access it, how it is stored, and how it is transmitted). Classification does not, by itself, determine (1) how long information is retained or archived, or (2) whether information must, may, or must not be released as a public record.

Retention, archiving, and disposition are governed by the city’s Records Management and public records policies and applicable law, including the Idaho Public Records Act and city records retention schedules. This standard does not override the Public Records Act; determinations about whether a record must be disclosed, may be redacted, or may be withheld are made under that law and related city policy, typically with the department records/PRR coordinators, City Clerk and Legal.

Information identified as Restricted or Private may be released in full, released in part with redactions, or withheld depending on legal requirements and exemptions. Classification helps identify information that should be handled carefully and routed appropriately, but it does not override legal requirements for retention or public access.

Data Criticality must be considered alongside records retention schedules. While retention periods are governed by law and city policy, Data Criticality informs which information assets and systems should be prioritized for preservation and accessibility, enhanced backup/recovery and continuity controls, and readiness for audits, litigation, or public records requests. Departments must ensure that information designated as High Criticality is clearly mapped to its authoritative System of Record and applicable retention schedule.

Protection and Handling Requirements

Baseline protection expectations

All Information Assets must be managed in city-approved systems and handled in a way that protects confidentiality, integrity, and availability appropriate to their Classification. Technical control requirements are defined in the Information Security Standard; this standard establishes minimum handling expectations and prioritization rules.

High Criticality stewardship and resilience expectations

This section defines minimum stewardship expectations for Information Assets designated as High Criticality. These expectations apply regardless of Data Confidentiality & Sensitivity and are intended to ensure that essential information remains available, recoverable, and usable during disruptions.

Authoritative source and stewardship

• High Criticality Data Assets must be clearly mapped to an authoritative System of Record (or designated authoritative source).
• Departments must identify the Data Owner and Data Custodian responsible for stewardship and operational readiness.

Continuity, recovery, and resilience

• High Criticality Data Assets must have documented backup and recovery expectations appropriate to operational need (including restoration objectives where feasible).
• High Criticality Data Assets must be prioritized for continuity planning and restoration sequencing during outages.

Availability and operational readiness

• Departments and IT must ensure High Criticality systems and repositories are supported with appropriate operational practices (e.g., monitoring, support coverage, and dependency awareness) consistent with city standards.

Change management

• Changes that materially impact High Criticality Data Assets (e.g., system migrations, major integrations, changes in authoritative source, or access model changes) must be reviewed to confirm continuity and recovery expectations are maintained.

Restricted and Private handling requirements

This section establishes minimum handling expectations for Information Assets designated as Restricted or Private. Detailed technical requirements (e.g., encryption standards, logging baselines, endpoint controls) will be defined in the Information Security Standard.

Access and sharing

• Limit access to those with a legitimate business need (least privilege).
• Use city-approved systems with permissions/roles; avoid “everyone” access for Restricted/Private content.
• Do not post Restricted/Private information to public locations, public links, or broad distribution lists.
• Data Owners approve access for Private Information Assets and define access expectations for Restricted assets.

Storage

• Store Restricted/Private information only in city-approved repositories configured with appropriate access controls.
• Do not store Restricted/Private information on personal devices, personal cloud accounts, or unapproved removable media.
• Private information must be protected with encryption at rest where supported; encryption requirements will be defined in the Information Security Standard.

Transmission

• Do not transmit Private information via standard email or unsecured channels. Use city-approved secure methods.
• When sending Restricted information externally, use city-approved secure methods as required by IT Security guidance.
• Verify recipients before sending; prefer controlled-access links over attachments when feasible.

Collaboration and sharing links

• Do not use public/anonymous links for Restricted/Private content.
• Configure sharing links to the minimum necessary audience and use expiration where feasible.

Printing and physical handling

• Print Restricted/Private information only when necessary.
• Do not leave Private information unattended (e.g., at printers, in vehicles, in public areas).
• Dispose of Restricted/Private printed materials using approved secure disposal methods (e.g., shred bins) consistent with Records Management requirements.

Exceptions

• Exceptions to these handling expectations must be documented and approved by the Data Owner and IT Security (and Legal/Privacy Officer when applicable).

Special Categories handling

Information identified as a Special Category must follow the handling requirements for its assigned Data Confidentiality & Sensitivity (typically Private), plus any additional requirements imposed by law, regulation, contract, or applicable standards (e.g., CJIS, HIPAA, PCI DSS). Where Special Category requirements conflict with general handling guidance, the stricter requirement applies.

Operating the standard

Operational requirements

These requirements explain how the city applies and maintains Classification in day-to-day work across the information lifecycle.

Labeling and identification

• Information Assets designated Restricted or Private must be labeled/tagged where the system supports it (e.g., document headers/footers, metadata tags, site/folder labels, database labels, or repository labels).
• When labeling at the item level is impractical, label at the container level (e.g., SharePoint site, Teams channel, folder, repository, application module) and treat all contents accordingly.
• High Criticality designation should be recorded in the asset inventory and, where feasible, in the system/application service catalog.

Lifecycle handling

• Classification must be applied at creation/collection and revisited when business use, legal requirements, or risk changes.
• Information must be stored in city-approved systems and repositories appropriate to its Classification.
• Disposal of information must follow Records Management schedules and approved secure disposal practices.

Applying classification in practice

• If information contains multiple types/levels, classify and handle it to the most protective Data Confidentiality & Sensitivity present.
• When the Data Criticality Level is uncertain, treat it as Medium Criticality until the Data Owner confirms otherwise.
• If a system or repository contains both public-facing and Restricted/Private information, it must be designed and configured to prevent accidental disclosure (e.g., separation, permissions, review steps).

Training and awareness

Departments must ensure staff with access to Restricted/Private or High Criticality Information Assets understand basic handling expectations and escalation paths.

Technical protections

Technical requirements that support this standard (e.g., encryption, identity/access management, logging, monitoring, endpoint protections, secure configuration baselines, backup/restore standards) are defined in the Information Security Standard and supporting IT security standards.

This standard establishes what must be protected and how it must be handled at a minimum; the Information Security Standard defines how technical controls are implemented and enforced on city-managed systems.

Reproductions and derivatives

Reproductions (copies) and derivatives (extracts, exports, reports, dashboards, transformed datasets, screenshots, recordings, or compiled files) must be managed to prevent accidental downgrade of protections.

• Inheritance rule: Derivatives inherit the Data Confidentiality & Sensitivity of the source information unless the derivative is determined (by the Data Owner) to contain only lower-sensitivity content. When in doubt, inherit the higher level.
• Mixing rule: If a derivative combines multiple sources, handle it to the most protective Data Confidentiality & Sensitivity included.
• Data Criticality: Derivatives used to operate, restore, or evidence essential services may be designated as High Criticality (or higher than the source) based on operational reliance.
• Labeling: When feasible, label/tag derivatives consistent with the source classification.
• Storage and sharing: Store and share derivatives only in approved systems consistent with their classification; do not move Restricted/Private derivatives into lower-control locations “for convenience.”
• Declassification: Reducing an Data Confidentiality & Sensitivity (or changing the Data Criticality designation) requires Data Owner review and documentation.

External sharing and release

This section governs intentional external sharing (with partners, vendors, other agencies, or the public) and is separate from formal public records request processing.

• External sharing must be limited to what is necessary for the business purpose (data minimization).
• Private information may not be shared externally unless explicitly authorized by the Data Owner and permitted by law/contract, using approved secure methods and appropriate agreements.
• Restricted information shared externally must use approved secure methods and should include terms/expectations appropriate to the sensitivity (e.g., contractual protections, access controls, expiration).
• Special Categories (e.g., CJIS/HIPAA/PCI or other regulated data) must follow the required external constraints for that category in addition to city standards.
• Public-facing release (including open data publication) must follow city processes and appropriate review for privacy, security, and legal considerations.

Public records requests: Requests made under the Idaho Public Records Act are handled through the City Clerk/public records process. This section does not replace those procedures.

Department ownership and inventory

Departments must maintain an inventory of major Information Assets to support stewardship, risk management, continuity planning, and records readiness.

At a minimum, inventories should record:

• Information Asset name/description and business purpose
• Data Owner and Data Custodian
• System of Record / Authoritative Source
• Classification facets used in this standard: Data Criticality Level and Data Confidentiality & Sensitivity
• Special Category flags where applicable (e.g., CJIS/HIPAA/PCI)
• Primary storage locations and key integrations/sharing pathways (internal and external)

Departments provide updates to the citywide inventory maintained by IT (per the responsibilities section).

Review and audit

• Classification reviews: Departments must review classifications for major Information Assets on a regular basis and when material changes occur (system changes, process changes, new integrations, new legal requirements, incidents, or audits).
• Control reviews: IT Security and departments may periodically assess whether handling practices and technical controls align with assigned classification.
• Audit support: Departments must support audit, litigation hold, and public records readiness by maintaining clear ownership, authoritative sources, and inventory accuracy for High Criticality and Restricted/Private Information Assets.

Incident response and legal notifications

Data breaches and notification

Suspected or confirmed data breaches must be handled through the city’s incident response and information security processes, in coordination with IT Information Security, the Privacy Officer, Legal, and the City Clerk as appropriate.

For computerized personal information, the Idaho Data Breach Notification Law requires that when a public agency becomes aware of a breach of the security of the system, the agency must notify the Idaho Attorney General within 24 hours of discovery.

The law also requires notification to affected Idaho residents as soon as possible if misuse of the personal information has occurred or is reasonably likely to occur.

Under Idaho law, a “breach of the security of the system” involves the illegal acquisition of unencrypted computerized data that materially compromises the security, confidentiality, or integrity of personal information.

“Personal information” generally includes an individual’s first name or first initial and last name in combination with any of the following data elements, when either the name or the data elements are not encrypted:

• Social Security number
• Driver’s license number or Idaho identification card number
• Financial account number, or credit/debit card number, in combination with any required security code, access code, or password that would permit access to the account

This standard does not replace the city’s incident response procedures or the Information Security Standard. Departments must promptly report suspected breaches to IT Security and follow those procedures in addition to the requirements above.

Related Information

• Information, Data, and Privacy Security Regulation
• Information Security Standard
• Password Standard
• Records Management Manual and Public Records Policy
• Acceptable Use of IT Resources Regulation

Approval and Revision History

This Standard shall be reviewed annually and updated as necessary to reflect changes in city policies, regulations, and standards.

Approved By

Alexandra Winkler, CIO

Download as PDF