Hi. While I know that financial institutions (and other businesses) are required to notify customers whose information is comprimised, can anyone tell me if there are reqmt's. documented anywhere for the institution to retain proof that the customers were notified?
Do the specific reqmt's for the type of documentation that needs to be retained to demonstrate customers were notified vary, depending on the state in which the institution or business is located? Are there standard 5 year record retention reqmt's for financial institutions that would apply?
*Also, while I have the applicable state (Texas) regulation that requires businesses to notify customers when their information is compromised, is there currently a federal requirement?
Any information would be greatly appreciated. Thanks.