"Under the proposal, banks and other financial institutions would alert customers by mail, telephone or e-mail, when they find unauthorized access to personal data that could result in substantial harm or inconvenience. Banks also would be told to flag any accounts that may have been compromised and monitor them for unusual or suspicious activity."
This marks a significant break from standard practice. In the past banks had latitude to keep things quiet, at the discretion of the board and legal counsel. Of course, the details of the guidelines must dictate what constitutes "unauthorized access" and "personal data" and "substantial harm or inconvenience." Stay tuned.