So there's a spectre haunting my arguments for disclosure, the spectre of cost. I'm surprised none of my critics have brought it up yet.
Mailing notices to people, and handling their questions can be expensive. When the personal data being lost is a credit card number, I don't care that much. When it's medical data, my national id number, or other data which can be used to harm people, I care more.
I'd be perfectly willing to forgo personal notification of the theft of credit card numbers. I just don't think it's that important, and the liability lies with the banks and the merchants. In contrast, the outcome of my SSN being abused falls back to me, in credit reports, false arrests, etc. Personal notification regarding SSNs will be important until we have a society where I'm in control of my personal information and how it's used to identify and authenticate me. Personal notification around medical and other information will always be important.
The tradeoff I'll offer up is I'll stop caring about personal notification of credit card breaches, if we can agree that a decent, in-depth analysis of what goes wrong should be filed in some public way, and that any organization who does that should get some degree of protection against negligence claims. That analysis is being done anyway, so the additional costs are pretty minimal. The additional legal concerns that raised by telling what happened can be addressed by adding some protections. It's essentially trading the public good of more information to analyze for protection against legal claims being built on that information.