TJX sued by banks for not disclosing security breach

TJX sat for months knowing full well they had been breached but didn't notify anyone.  The downstream impacts for issuers alone are potentially huge.  What do you do knowing that you have a list of customers whose cards you know were breached?  Do you replace them all as a precaution?  Who pays for that cost?  Or do you monitor and hope for the best?  Who pays for the cost of the added monitoring?

Schneier on Security: Lawsuit for Not Disclosing a Security Breach

The TJX breach was worse than first thought.
The company initially believed that attackers had access to its network
between May 2006 and January 2007. However, TJX recently admitted that
thieves were inside the network several other times, beginning in July
2005. In last month's SEC filing, the company said the stolen data
covers transactions dating back even further, to December 2002. The
Federal Trade Commission (FTC) is investigating the breach.