A debit card customer (Mastercard branded) has stated that she wants to report that her card has been used without her knowledge since January 2006. Doesn't she need to notify us within 60 days? What are we liable for?

Yeah, this sort of stuff happens a lot.

First, the Reg E. Billing Error rule is not 60 days, but 60 days from the last statement upon which the error is evidenced. If we assume that you issue statements on the 1st of each month, then she has protection on her December and November statements (which would cover transactions from Oct 1 - Nov 30) plus any current transactions.

Second, while the transactions from Jan - Sept do not qualify for Billing Error protection, there is the Unauthorized Use provision of Reg. E - 205.6. Under this section there is a formula for figuring out how much she is responsible for:

(2) Timely notice not given. If the consumer fails to notify the financial institution within two business days after learning of the loss or theft of the access device, the consumer's liability shall not exceed the lesser of $500 or the sum of:

(i) $50 or the amount of unauthorized transfers that occur within the two business days, whichever is less; and

(ii) The amount of unauthorized transfers that occur after the close of two business days and before notice to the institution, provided the institution establishes that these transfers would not have occurred had the consumer notified the institution within that two-day period.

You could argue that the statement sent with the January transaction was enough to allow the consumer to identify that the transaction was unauthorized, unless the consumer has a valid reason for having such a late discovery date concerning the errors.

You also have other considerations:
Your card agreement and what it advises on consumer liability
MasterCard's Zero Liability Policy
If the transactions involve an accepted access device
If the transactions are POS or ATM