It's difficult to speak on behalf of all members. But I think when you have a breach where material information has been provided to third parties, including unknown third parties, and there is a risk that the information could be used for criminal purposes--for identity theft, for God knows what--then I think there should be a notification.
On February 1st, 2007. See this statement in context.