I would think you'd want to put in some criterion like “significant”. You can have a technical breach of personal information, but if it's not significant, then you get into a company having to notify millions of people, which is extremely costly from the company's point of view.
On November 27th, 2006. See this statement in context.