I understand that our obligation to notify customers of an acutal or possible data compromise is a state specific law. Is this true? And could someone tell me where I can find these requirements?

You are subject to the applicable federal regulations, but also to WA law. Here's a link to the WA statute:

RCW 19.255.010

Some states do have laws, such as California (see SB 1386). I am not aware of whether or not Washington has a specific law, but I have seen somewhere that 20+ states have adopted. The FFIEC agencies have jointly issued guidance (FIL-27-2005) for financial institutions to develop and implement a response program designed to further protect customer non-public information through establishing policies and procedures for identifying, controlling, and responding to unauthorized access. The guidance is an interpretation of section 501(b) of the Gramm-Leach-Bliley Act (GLBA) and the Interagency Guidelines Establishing Information Security Standards (12 CFR 364, Appendix B). You may want to start with the FFIEC guidelines and then search for state specifics. Here's a link to check out http://www.fdic.gov/news/news/press/2005/pr12705a.html

I reviewed the information in the WA statute. Other than notifying the consumer about the breach in security, what other obligations does the financial institution have to the consumer? Do we look toward the Fact Act? I know we will have customers calling and asking what do they do now?

Your bank should have a Response Program for unauthorized access to customer info. (effective Mar 29, 2005) This is a federal interagency rule.

Yes, we do. However, even though I am the compliance officer rather than the security officer, it has been dropped into my lap. Thanks for the lead!

Our recent breach in security involved our third party service provider. This is what happened, a small amount of our customers wrote checks to the same merchant, when the checks were written a "validity check" was done before each check was accepted. So if the third party service provider contracted with the merchant, not us, and the breach occured, do we still need to contact our regulator?