Legal obligations to report. Determine scope of problem – is the exposure local, contact city/county police. Is there applicable state law, then they also have to notified. Does the the exposure include other locales in the state, then notify state level authorities anyway. Are any of the customers exposed in other states, then it is a federal matter by the ICC (Interstate Commerce Clause). And the newer regulations GLB and HIPAA require their involvement. If you suspect foreign involvement in the breach of security, then the FBI is at the top of your list. Good luck, and may none of us have to walk this decision path.