How it should be done, no?
Makes sense to me: as soon as you're aware of a problem, cop to it and take whatever action you can. An improvement in their PR capabilities at least.
Obviously, not as good as making sure there's no unencrypted personal data lying around in the first place, but better than hiding behind a "no comment" wall for a bit.