I think most companies have a weak playbook for this kind of interaction. I once bought a product (and I'm going to be deliberately vague) from a company whose customers are mostly very famous people around the globe. The URL for my order included the order number, and that page showed everything about my order and my PII. Naturally I tried changing the order number, and wowzers I was able to see emails, phones, addresses, contacts for the PA/agent and sometimes direct contact info for the ordering party.
When I contacted the company about this, they didn't thank me or really acknowledge the problem. They fixed it about a month later by requiring login to view order URLs. I feel like they should have let their customers know all their PII data was exposed - I know they didn't, I never got such a notification.