I am skeptical as well. I feel like the standard procedure these days is for a company to acknowledge that their security has been compromised but that the breach was limited to only non-sensitive data.
I'm not an expert but once you are breached I feel it's very difficult to be sure what was or was not accessed. Maybe if the system breached was air-gapped or completely third-party (e.g. a mail list provider) you can safely say "no personal information" was accessed but as a user, my trust in DocuSign is now lower no matter what they say.
