http://labor-employment-law.lawyers.com ... ivate.htmlIn general, unless you're a federal agency or contractor, state laws will specify the employer's responsibilities.
If you are the employer, then this forum is the wrong place for an answer: you really should talk to a lawyer who specializes in business law, and is familiar with the policies of the state(s) in which you have active employees, especially since you are already aware of potentially compromised information for which the company may have responsibility and/or liability. It will cost you perhaps $300 for an hour of consultation but it puts you in a much safer position than trying to wade through state statutes without knowing the precedents or corner cases.
And if it turns out there is a larger liability problem that may need to be cleared up with notices to affected employees and offers of identity theft protection, you're going to need to retain that lawyer for some time.