According to a report issued in June by the U.S. Government Accountability Office, GAO Report 07-737 a number of challenges exist related to complying with the breach notification requirements in state laws or federal banking guidance, such as interpreting ambiguous statutory language, identifying and locating affected consumers, and developing effective notification letters. Similarly, financial intitutions must determine whether misuse of breached information is “reasonably possible,” such as when little information exists about the location of the data, the intent of a criminal who stole data, or the effectiveness of security features designed to render data inaccessible.
Institutions that issue credit and debit cards compromised by a merchant that’s not the institution’s service provider are generally not required by the banking regulators’ guidance to notify their customers, but nevertheless in some cases, they feel obliged to do so. Breaches of credit card information by third parties can adversely affect an institution’s reputation and result in costs related to notifying customers and reissuing cards.
It can also be difficult to identify which consumers may have been affected by a breach and obtain their contact information. This can be a particular problem for entities, such as merchants, that have breached credit card numbers but don’t themselves possess the mailing addresses associated with those numbers. Institutions whose customers’ account information is breached also may incur costs for remedial steps such as canceling existing accounts or replacing affected customers’ credit or debit cards—although such steps may not be required by the applicable breach notification requirements.
http://www.bankinfosecurity.com/articles.php?art_id=512