How could you not password-protect your online e-mail (let alone set up other kinds of more intense security)? Pizza chain Papa John's didn't. The company says it didn't cause any breaches--having an unavailable, nonpublic Web address--and even if it had, the breaches wouldn't lead to identity theft.
But do you want to be making that kind of explanation to customers who send you e-mail or are in your database? I didn't think so.