of testing; security breaches or violations, and management's responses; and recommendations for changes in the information security program. (j) Response Programs for Unauthorized Access to Customer Information and Customer Notice (1) Background. This part of the Guidance describes response programs, including customer notification procedures, that an IB