Effects of mandatory disclosure laws?

by Justin Clarke

Related link: http://www.schneier.com/blog/archives/2006/03/class_break_of.html

I was just reading on Bruce Schneier's blog about Citibank cancelling ATM/debit cards, when used overseas in the UK, Canada, and Russia. These cards were (apparently) previously compromised from a US retailer a year ago, leading me to believe this is: a) not something Citibank is perhaps at fault for... but certainly b) could have been handled a hell of a lot better.

This reminds me of the relatively new mandatory disclosure laws in California, New York, and Ohio, and leads me to wonder whether the people involved were ever informed that their information had been stolen? Certainly the California law was in effect at the time (the New York law went into effect in December 2005, Ohio last month), so I wonder if the people in California had been notified?