I'm going to presume that dry 24/7 is registerd in the US or Canada; their site is down for me so I can't find out.
The US appears not to have a federal level data breach notification law, but every state has it's own one.
The EU now has very strict data breach laws since GDPR came into force in May. Companies here have to notify the regulator within 72 hours and notify customers of what was taken and the level of risk to them without undue delay.
Canada seems to have recently introduced new regulations along similar lines to the EU, not sure what they had before.
Of course, these usually aren't retrospective, so breaches that occured before the regulations were in force may not have had the same reporting obligaitons that now exist.