the grey area of data disclosure announcements

A little closer to home, it seems University of Iowa has had to notify 14,500 persons that their data might have been disclosed. I like that the announcement qualified that the likelihood of disclosure was low. In other words, an attack was detected, but the extent of the breach was unknown, but this data was accessible on the system.
This makes me shake my head and wonder when this disclosure storm will end. Disclosing possible data thefts and leaks is just not a scalable or long term solution. It is not even a short term solution. Very quickly we will all become numb to this activity, not care, and even if we understand what to do by reading the letters and FAQs, we still won’t do much more or change our behavior as users and consumers.
But there are other reasons why this is a poor decision. For instance, there is this huge grey area on defining what is a disclosure. What if a system was broken into, but all indications point to the system being used to house pirated movies, but *may* have had data disclosed? Do you have to disclose it if there is a reasonable expectation? What about a networked system that is not fully patched and is noticed to be out of date? Theoretically, it could have been attacked. What if the hosting company would not have detected such an attack? Is it reasonable to assume that system was never accessed fraudulently? And just where to 0day attacks fall into this picture? What if there may be the potential for disclosure in the future, which is not all that unlikely given a Windows architecture and the mishmash inner organization of most IT infrastructure from the perspective of the malicious insider. Should we disclose when information is just simply being stored in a non-optimal way?
And that is not even to begin to get into the grey areas within organizations on disclosure and reasonable expectations. Who is held accountable for hardening systems, detecting problems, escalating them to those that need to know, and then disclosing them? How much grey area or liberty will be taken with interpreting the regulations and expectations?
No matter the answers, the current practice of forcing disclosure of possible data thefts and possible identity theft are not very good procedures and may do more harm in the long run than good. But at least it drives home to C-levels the need to pay attention to this stuff, and not just treat IT like some arcane entity working behind a large screen. The handling of information and data access is only going to become more and more important over the next 10 years (and anyone having tried to track access to data and permissions in anything but small corporations will be able to relate exactly how difficult this may be).
And yes, at least this is the start and it is something, as opposed to diving straight into analysis paralysis and doing nothing.