The short answer is: It depends. The long answer is: When you communicate and how often you communicate will be different for each organization. This sort of communication process should be built in to your organization's business continuity/disaster recovery/incident response (BC/DR/IR) process. A data breach is no different from any other incident that may require executive notification. Timing will depend heavily on the size of the breach, when it was discovered, whether it's hit the media and any number of other particular business concerns.
If this sort of communication plan isn't already part of a larger BC/DR/IR program, sit down with the enterprise's legal team and HR department (at bare minimum) as well as with the CIO and corporate communications team to assemble a basic plan. The other members of the team will have had past experience communicating similar issues to the C-suite and should have great feedback on when and how to notify them. Once you have a rough plan that everyone is happy with, you or another member of the team can present this plan to the rest of the C-suite for their feedback. At this time, you'll get a much better feeling from the executives about when they want to be notified and how much detail they want. This will probably take a few iterations to get right. And don't be surprised when you have to make changes to the process after the first incident.
For more information:
This was first published in September 2009