GLBA Breach Notification Requirements for Banks in 2026

Two notification paths, two different clocks

Before 2022, federal banking law did not include a specific breach notification timeline. Banks relied on the Interagency Guidance on Response Programs (2005), which required "prompt" notification but did not define a deadline. That changed with two regulatory actions that now run in parallel.

Path 1: The 36-hour regulator notification

In November 2021, the OCC, FDIC, and Federal Reserve jointly issued the Computer-Security Incident Notification rule, effective April 2022. It requires banking organizations to notify their primary federal regulator within 36 hours of determining that a "notification incident" has occurred.

A notification incident is a computer-security incident that has materially disrupted or degraded — or is reasonably likely to materially disrupt or degrade — the banking organization's ability to carry out banking operations, activities, or processes, or that is reasonably likely to jeopardize the viability of the institution or the confidentiality or integrity of customer data.

The 36-hour clock starts when you "determine" that a notification incident has occurred — not when the incident itself occurred. But regulators will scrutinize how long it took you to make that determination. If a ransomware attack encrypts your core systems on Monday and you do not "determine" it is a notification incident until Thursday, that delay will raise questions.

Path 2: The 30-day consumer notification

The FTC amended the GLBA Safeguards Rule in 2023 to add an explicit breach notification requirement. For breaches involving the unencrypted nonpublic personal information of 500 or more consumers, financial institutions must:

• Notify affected individuals no later than 30 days after discovery
• Notify the FTC as soon as possible and no later than 30 days after discovery (60 days for certain reporting details)
• Include in the notice: what happened, what information was involved, what the institution is doing in response, and what affected individuals should do to protect themselves

For banks supervised by the OCC, FDIC, or Federal Reserve, the FTC rule works alongside — not instead of — your prudential regulator's expectations. You must satisfy both.

What triggers each notification

The triggers are different, which is part of what makes this confusing:

• 36-hour rule:Triggered by a "computer-security incident" that rises to the level of a "notification incident." This is broader than a data breach — it includes operational disruptions. A DDoS attack that takes down your online banking for a day could trigger this even if no customer data was exposed.
• 30-day rule: Triggered by unauthorized acquisition of unencrypted nonpublic personal information affecting 500 or more consumers. This is narrower — it requires actual or reasonably believed unauthorized access to customer data.

A ransomware attack that both disrupts operations and exposes customer data triggers both. A phishing attack that compromises one employee's email but exposes 1,000 customer records triggers the 30-day rule and likely the 36-hour rule. A DDoS attack with no data exposure may trigger only the 36-hour rule.

Do not forget state law

Federal rules do not preempt state breach notification statutes. All 50 states have their own laws, and they vary significantly:

• Timelines:Some states require notification within 30 days (e.g., Colorado, Florida). Others allow 60 days (e.g., Connecticut, Vermont). Some say only "as expeditiously as possible" with no hard deadline.
• Definitions:What constitutes "personal information" varies by state. Some include only SSN and financial account numbers. Others include medical information, biometric data, email credentials, or even health insurance information.
• Attorney general notification: Most states require you to notify the state attorney general if the breach exceeds a certain threshold (often 500 or 1,000 individuals).

If your bank has customers across multiple states, you need to comply with the notification law of every state where an affected individual resides. This is where breach response gets operationally complex in a hurry.

Building a response plan that covers both paths

A community bank needs a single incident response plan that accounts for all of these overlapping obligations. Here is what that looks like in practice:

1. Detection and initial assessment. When an incident is detected, your first task is to determine whether it rises to the level of a notification incident (36-hour clock) and whether customer data was compromised (30-day clock). Document your reasoning. Examiners will review it.
2. Regulator notification within 36 hours. If the incident meets the threshold, notify your primary federal regulator. This does not need to be a full forensic report — it is an initial notification that an incident has occurred. You will provide details as they become available.
3. Forensic investigation. Determine the scope of the breach — what data was accessed, how many individuals are affected, whether data was encrypted. This drives your consumer notification obligations.
4. Consumer notification within 30 days.If 500 or more consumers' unencrypted NPI was compromised, notify affected individuals and the FTC within 30 days of discovery.
5. State notifications. Identify which state laws apply based on where affected individuals reside. Comply with the shortest deadline among applicable states.

Common mistakes in breach response

1. Waiting too long to classify the incident

The 36-hour clock starts at "determination," but regulators will evaluate whether your determination process was reasonable. If your IT team detected anomalous activity on Monday but no one reviewed the alerts until Wednesday, that gap is a problem — not because you missed the 36-hour window, but because your detection-to-determination process is inadequate.

2. Notifying consumers before you understand the scope

Sending a vague notification that says "we had an incident and are investigating" is not helpful and may not satisfy the FTC rule, which requires specific content in the notice. Take the time to investigate, but do not let the investigation drag past 30 days without notifying.

3. Forgetting about service provider obligations

The 36-hour rule also applies to bank service providers, who must notify the bank — not the regulator — within 36 hours of a computer-security incident that could affect the bank. Make sure your vendor contracts include this notification obligation with specific timelines. If your core processor gets breached and takes two weeks to tell you, your notification clocks are already running.

How BlackSheep fits in

BlackSheep's GLBA compliance platform includes an incident response workflow that maps to both the 36-hour and 30-day notification requirements. It tracks timelines, documents your classification decisions, generates notification templates that meet FTC content requirements, and maintains the audit trail examiners expect to see.

You still need to make the judgment calls about whether an incident meets the threshold. The platform makes sure you do not miss a deadline or forget a required step while you are in the middle of managing a crisis.