The Federal Financial Institutions Examination Council,InteragencyGuidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice (April 1, 2005) describes some of the obligations that financial institutions have to report unauthorized access of customer's private, sensitive information.

What are the minimum components of a financial institution's response program?

When must financial institutions notify customers that a third party has obtained unauthorized access to private, sensitive customer information?

Why is there a different standard for notifying federal regulatory agencies than for notifying the financial institution's customers?

References:

The Federal Financial Institutions Examination Council,InteragencyGuidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice (April 1, 2005) https://www.fdic.gov/news/financial-institution-letters/2005/fil2705.html