When an organisation looses, misplaces or abuses data held about you or when an organisation is hacked, attacked or circumvented they should have to report such things to the Information Commissioner, it's shareholders (if plc), the police (where a crime has been committed) and the individuals who's data may have been abused.
Why does this idea matter?
Right now it's completely voluntary and many companies will not report such abuses because of the PR nightmare and the damage to reputation it would cause. Yet companies regularly abuse data held on individuals ignoring Data Protection laws, regularly are involved in a security incident that puts the organisation or they data they hold at risk but rarely report it.
By forcing reporting of these incidents individuals could take action to protect themselves against identity theft and we would back companies who take their information security seriously.