It seems like Convio has done their part by getting the information out to clients regarding the security breach. What seems extremely troubling to me is that not all of the organizations seem to have contacted their donors/constituents to notify them of the risk they may face.
Granted - no credit card details were compromised. But, am I the only dummy out here who uses the same password for multiple online sites. If a hacker got my password from a GetActive client that I supported... I would be a prime target for identify theft if that same hacker tried to access my Yahoo! or PayPal account.
That is the next (and scariest) phase of this story.
Convio can only lead their clients by providing draft emails... they can't make the clients actually send the email to their constituents. Should they be more proactive and contact the affected people themselves? Is Convio legally allowed to contact these constituents?
If you lost a set of keys and those keys have your address printed on the keychain, don't you have an obligation to notify the people who you share that house, apartment, or office with? What would you do if that happened to you? Do you keep your mouth closed and hope no one breaks in? And if they do, would you continue to pretend the thief didn't get the key from you?