Answer:
Yes, you are. 2007 will see increased scrutiny of data breach notification plans. The FFIEC IT Booklet regarding BCP already calls for formalized data breach notification programs, but the requirement will tighten. The FDIC is calling for the creation of distinct Incident Reporting Programs (IRPs). You must notify both affected parties and authorities, and have a formal process for doing so.