I'm not sure if notification requirements vary from regulator to regulator, but I know the FDIC put out FIL 27-2005 as an interpretive guidance of GLBA requirements. It stated:
"... a financial institution should provide a notice to its customers whenever it becomes aware of an incident of unauthorized access to customer information and, at the conclusion of a reasonable investigation, determines that misuse of the information has occurred or it is reasonably possible that misuse will occur."
http://www.fdic.gov/news/news/financial/2005/fil2705.pdfSince, IMO, it is reasonable to think that misuse will occur, I would argue that you would have no choice but to notify those customers affected by the breach. Whether or not you decide to close or monitor is up to you, but I think you need to tell them what you plan to do in your letter.