There's a tendency to err on the side of caution with respect to the notification of individuals. We certainly don't want to discourage notification, but the issue becomes the appropriate interpretation of what is a material breach, and secondarily, whether it is something that has the potential to harm someone.
If you have a breach, and you decide you're going to notify people that there has been a breach and they're at risk of harm, if they were never really at risk of harm, the individual notifications shouldn't have gone out. Then they come to our office, and we try and tell them that, no, this was a circumstance where we concluded that there was no risk of harm to you. Once you've been told that you've been put at risk by a breach of your privacy, it's very hard to convince anybody that they aren't at risk and that the notification was unnecessary.
People get stressed and they start worrying about identity theft, embarrassment in their community, and all kinds of things that they were never put at risk of having happen to them.