To answer that question, yes, that's part of any company's process in evaluating a breach: what is the impact of the breach? They all have internal policies on how to manage that. Financial institutions would have a very rigorous set of policies, whereas a small business may have something very straightforward, depending on the type of information they collect.
On February 17th, 2015. See this statement in context.