GDPR, the new EU Data Protection legislation, will actually require companies to issue notification of a breach of PII, within 7 days of becoming aware of it, I believe.
That only applies to notification to the data protection authority unless the breach "is likely to result in a high risk to the rights and freedoms of natural persons".
