Right now it's completely voluntary and many companies will not report such abuses because of the PR nightmare and the damage to reputation it would cause. Yet companies regularly abuse data held on individuals ignoring Data Protection laws, regularly are involved in a security incident that puts the organisation or they data they hold at risk but rarely report it.
By forcing reporting of these incidents individuals could take action to protect themselves against identity theft and we would back companies who take their information security seriously.