Policy Consideration: Ethical to Purchase Data Breach Information?

Can a business buy a list of breached users from another business for the purpose of notifying the hacked users?

uh, what? Facebook wants to buy a list of hacked users from another comapny so it can don the white hat and tell its members they were hacked.

For your consideration while legislatures consider how to protect consumers whose information has been hacked. Anyone for a prohibition on the sale of the hacked information?

CSO | Security experts divided on ethics of Facebook’s password purchases