I am curious about the reporting requirements when cc and cvv data is exposed.

Are there clear requirements in the event data is exposed? If data is exposed internally versus externally does that impact the notification requirements where they exist?

You ask a seemingly straightforward question, which will result in a confusing answer - "It depends." If there has been a compromise, or a suspected compromise, a merchant or service provider must notify their acquirer and the card brands within 24 hours. This is the same for internal exposure and external exposure - there is no difference in the eyes of the PCI DSS. As to notification of affected consumers, this is where is it gets a little muddy. There are 40 different breach notification laws in the U.S. Each have somewhat different definitions of what constitutes a breach and what is considered personal information. While I wish I could offer a more substantive answer, it really depends on what state(s) the company is doing business in, what data was exposed and the number of consumers affected.

Tip: Look at VISA's What to do if compromised-document

I would argue that even the card brands notification is problematic at best. The reason is that if legal authorities decide that they do not want notification issued, they usurp any contractual obligation through their authority under any gag orders, warrants or subpoenas that might be involved.

While the card brands want a heads up on any potential breach within 24 hours, most major organizations' incident response plans do not inform the card brands until they are certain that a breach has occurred. Senior management (at a minimum the COO, VP PR and Legal Counsel) are typically made aware once there is good reason to believe that a breach has occurred. It is at that point that most organizations will either contact law enforcement or take legal action on their own.

If law enforcement is notified, then the breach is out of the organization's hands. They will be told by law enforcement when they can let third parties know of the breach. This is particularly true if the FBI is involved.