Remember the federal bust in early August that netted 11 hackers who allegedly stole more than 40 million credit card numbers? Now, The Wall Street Journal reports that many of the victims of those thefts were never even notified by the restaurants and retailers who were hacked.

This is true despite the fact that some 40 states have breach notification laws.

Only four of the nine companies that were hacked clearly notified their customers. The companies that did not – Boston Market, Forever 21, and possibly Barnes and Noble, Office Max and Sports Authority – had varying excuses. One excuse was that they never “confirmed” data was stolen, the WSJ says. Barnes and Noble, Office Max and Sports Authority, meanwhile, wouldn’t even say whether they made disclosures in the first place. (A WSJ investigation found no evidence of any disclosures).

I’m surprised how little PR backlash these companies have received. It’s not only law that says you have to notify customers in the event of a breach, but it is the ethical thing to do. The only reasonable debate is how that disclosure should happen.

However, four companies – TJX, BJ’s Wholesale Club, DSW and Dave and Busters – did notify customers shortly after the breaches were discovered. These companies deserve full credit for their actions, especially TJX. The clothing retailer has been lambasted for more than a year in the press since the disclosure in early 2007.

I’m well aware of the paradox here. The four retailers that allegedly were not proactive so far have received little condemnation. And some of the retailers who were proactive are now synonymous with the words “data breach.” Not very fair.

So, does that mean that doing the right thing isn’t always the best thing? I interviewed crisis management expert Dean Trevelino, owner of public relations firm Trevelino/Keller, on this very topic. To begin, he says, all retailers should follow these three steps:

1. Retailers big and small need to make the necessary investments in making sure they are as protected as possible. That, of course, means having a robust and consistent security policy in place. For smaller retailers, he says, these investments ought to be weighed with substantial thought next to the revenue they may be bringing in.
2. All retailers – even the smaller ones – need to have a basic crisis control plan in place. This includes a to-call list -- i.e. PR, legal and IT.
3. If it does happen, you “absolutely need to be forthcoming,” Trevelino says. That means a disclosure within 48 hours. But he adds that no disclosure should occur if you don’t have a clear handle on how it happened. “Grab the smartest people you can find and drill down on the causes and solutions to the problem,” he says. “Once you do that, let effected customers know ASAP what they should do and what you are doing to solve the problem," he adds.

So what about the paradox? Trevelino sums it nicely:

While TJX received its fair share of bad press, the worst is over. In fact, he says, the companies on the up-and-up may be viewed rather positively, now that the thieves have been busted. In contrast, for Boston Market and the rest of them, the worst is likely yet to come.

“It’s a heck of a road back if you’re weak from a security standpoint and not forthcoming,” Trevelino says. “People will forgive you if you didn’t have enough security, especially nowadays – you’re simply just one of the many victims. But if you’re a victim and not forthcoming, that’s a difficult thing to recover from.”