From Emergent Chaos, a link to the paper "Approaches to Breach Notification" from the Canadian Internet Policy and Public Interest Clinic. I've been spending this frosty MLK Day afternoon looking it over. I really dig this approach:
Generally, the affected organization is in the best position to calculate the associated risks of a breach of its information security and should be entrusted with this determination. However, there should be a requirement that every breach involving defined personal information be reported to the Privacy Commissioner, with full information about the nature and extent, the anticipated risks, mitigation measures, steps taken to notify affected individuals or, where notification is not considered warranted, the justification for not taking this step.This seems to be a reasonable approach to prevent blanketing of potential victims with notices of low-risk data loss events. The Commissioner can evaluate the organization's risk assessment to filter for the Excessive Butt Coverage Risk Assessment Methodology. *
The recommended contents of the notice would help, notably the time and method of the disclosure. I've seen notices with the vague "may have been accessed by unauthorized individuals" which offer the potential victim no real way to assess the damage.
*EBC-RAM is a Full-Custom Chrome-Plated Methodology with a burled walnut finish (optional). Patent pending, R. Dutcher Stiles, 2007
Edit to add that Educated Guesswork has a very cogent analysis of the article.