Adam mentioned the recently-announced Ameritrade incident. One thing I found interesting is their decision to hire ID Analytics to determine whether ID theft follows this data breach.
According to an ID Analytics press release, the US Veterans’ Administration did something similar when several million veterans’ information was revealed. At a cost of $25,000 (according to Fedspending.org) in the VA case, this sort of approach would almost certainly be much less costly than services like Equifax’s CreditWatch, which are often offered to those whose information has been revealed by a breach.
I think what we’re seeing here is the leading edge of a trend. Firms are applying (what they think is a) risk-based approach to determining what level of post-breach response they provide (if any) to individuals whose information is involved. This is similar to the risk-based notification triggers which some think wise. I would look for more of this, as firms become more knowledgeable about their options, they will become more discriminating in their responses.