Data theft notifications - how soon is too soon?

bsdbigot writes: Here's the deal. I started getting a bunch of stock-tout spam in the last month or so. The other day, I happened to look and see it was coming in to an email address I had dedicated to my TD Ameritrade account. I've spoken to TD Ameritrade, and I've given them the info on these spams. It turns out there is an "ongoing investigation," which includes "outside agencies," but they stop short of saying that there is any theft or breach. Personally, I'm quite sure there is. So, I asked them how many people are affected by this; they feel certain that it's an isolated problem, because they haven't received a deluge of complaints. They don't know how these spammers got my reserved email address from TD Ameritrade (but it wasn't sold by TD Ameritrade, they are quite clear on that), so how can they be so certain it's not their entire database, and how can they be so sure that things like my SSN and bank routing information wasn't also stolen? My question to Slashdot is this: how soon should a company like TD Ameritrade let its customers know that their data has been compromised? Should they wait until they have all the details and have plugged the breach, or should they let customers know that there is a possible problem as soon as they recognize it? Seems to me the answer should be the latter.