The commissioner's role is to decide whether or not the breach is significant enough that individuals have to report it. You don't need to scare someone if the data has been put in the wrong closet, but then the commissioner gets to decide whether or not a breach has occurred and someone has been affected here.
On April 3rd, 2014. See this statement in context.