GLBA proposes developing a "defensible" information security posture. As CISO of a National Bank, our policy was to retain a copy of the incident security record and associated forensics files (logs, etc.) for a period of 7 years. However, if the incident was large, created a potential for large reputational risk, could potentially resurface in the future, etc. the policy was to keep the record and associated documentation in perpetuity. Obviously, most banks have none of the last type of record (unless you are very, very, large and an obvious target) which makes it reasonable to establish that type of "defensible" policy.