The short answer is: It depends. The long answer is: When you communicate and how often you communicate will be different for each organization. This sort of communication process should be built in to your organization's business continuity/disaster recovery/incident response (BC/DR/IR) process. A data breach is no different from any other incident that may require executive notification. Timing will depend heavily on the size of the breach, when it was discovered, whether it's hit the media and any number of other particular business concerns.
If this sort of communication plan isn't already part of a larger BC/DR/IR program, sit down with the enterprise's legal team and HR department (at bare minimum) as well as with the CIO and corporate communications team to assemble a basic plan. The other members of the team will have had past experience communicating similar issues to the C-suite and should have great feedback on when and how to notify them. Once you have a rough plan that everyone is happy with, you or another member of the team can present this plan to the rest of the C-suite for their feedback. At this time, you'll get a much better feeling from the executives about when they want to be notified and how much detail they want. This will probably take a few iterations to get right. And don't be surprised when you have to make changes to the process after the first incident.
For more information:
Dig Deeper on Information security program management
Related Q&A from David Mortman
While IT security consultancies can be helpful when trying to find flaws in an information security management framework, there are ways to do it ... Continue Reading
PCI DSS audits can be a lot easier if the scope is narrow. Learn how to consolidate and store sensitive data in order to best reduce PCI DSS security... Continue Reading
When hiring an information security team member, how important is a certification in information security? Learn how to talk to executives about ... Continue Reading