I asked Lisa Sotto, head of privacy and information management at law firm Hunton & Williams, about this:
Q: Heartland and Monster told me they intend to comply with all state laws. That said, they have not announced plans to notify individual victims. Is that OK?
A: In the state breach notification laws, it is permissible to delay notification if a law enforcement agency determines that notification would impede a criminal investigation. If such a delay is requested by law enforcement, notification must be made after the law enforcement agency determines that notice would not compromise the investigation. I do not know if these companies received a delay request from a law enforcement agency. […]
Q: The only official notices from Heartland and Monster so far has been one-page disclosures posted on a web site. Does that cover them?
A: There are provisions in the state laws allowing for “substitute notice” if the number of individuals required to be notified exceeds a certain number (which differs by state), if the cost will exceed a certain dollar amount (which also differs by state), or if the business seeking to notify does not have sufficient contact information for the affected individuals. If substitute notice is used, the notifying party generally must send an email to the affected individuals if the notifying party has email addresses, post a notice on the web site page of the notifying entity, and notify media.