It is TD's practice today to notify all individuals who have been compromised, or we suspect have been compromised. For all material or larger systemic things, we would also notify regulators, the Privacy Commissioner, etc., but on an individual basis, to answer your specific question, it is our policy to do that today.
On May 29th, 2014. See this statement in context.