In all the guidance related to Response Programs for Unauthorized Access to Customer Information and Customer Notice (what a mouthful!), I have not seen anything that states WHEN the program must be in place. I assume it is preferable to have it in place before our next examination, but is there a "drop dead" date that anyone in aware of? Have I missed it?

Thanks!

It is effective now. Regulators are supposed to be "kind" and accept good faith effort to implement as timely as possible.

Anon is correct, it's effective now and for banks that don't have a program, there will be a little wiggle room for a little bit but if you don't currently have one, I'd suggest you do so immediately.

The guidance is an interpretation of existing provisions in section 501(b) of the GLBA and Information Security Guidelines. Therefore, a delayed effective date is not required. Financial institutions should implement the interpretive guidance as soon as possible. The agencies recognize that not every financial institution currently has a response program that is consistent with the interpretive guidance. The agencies will take into account the good faith efforts made by each institution to develop a response program that is consistent with the interpretive guidance, however; any financial institution experiencing a breach in security that includes unauthorized access to customer information is expected to respond promptly in a manner consistent with the guidance, and provide customer notice, if warranted.

Thank you everyone!