In my view, I think the onus should be even higher on companies, because they collected the information and they had the responsibility to safeguard it.
When a breach occurs, as a practical minimum standard if it involves financial information, the duty is not just to notify; the duty is to make sure the individual suffers no lingering harm as a result. It's hard to know whether this should be a standard put into the law or a standard that is encouraged by the Privacy Commissioner for adoption at a practical level, but certainly there should be an obligation on a company to make whole what has been lost. That goes to the heart of really dealing with the breach. If it was the company's fault, they should step up to the plate and they should be required to rectify any problems.
That includes things like the credit watch services. They should not be things people should have to go out and find on their own. Where you have a breach that could lead to identity theft or credit theft, you should have an obligation imposed on the company to actually pay for those kinds of credit watch services in order to make sure the individual has not suffered harm because of that breach.