For those auditors that review the information security customer response programs for national banks (OCC regulated), has anyone performed a risk assessment if the bank decided not to give notice to the customer (regulatory guidance applies only to information that is within the control of the institution and its service providers). An example would be where VISA had a breach and is not a direct third party of the national bank using VISA debit cards. Excluding monetary issues (fraud costs), I see the biggest issue as reputation risk. If you disclose, the uniformed customer may think it is your bank and not a service provider you have no control over (VISA). If you don’t disclose and the customer(s) find out you knew of the breach before hand, there could be potential legal and ethical issues.

Obviously, regulatory guidance is very grey. I am looking for other people’s thoughts and guidance they may have received from their regulators.