In the US, software regulated under HIPAA must report many breaches through a public website. I know my company is extremely serious about preventing breaches, and I would not be surprised if this law would make companies take things more seriously. Of course, there may be too many breaches for it to have any consequence.
I think the criteria of reporting should be something along the lines of "If the data that was stolen is the user's, then report to the user". If it can't be determined what was stolen, just report to everyone. This should be an embarrassing situation for the company.