We're seeing a divide between the technical and popular interpretations of the term "breach". When an industry drops the ball and responds pedantically, that's a strong sign that further regulation is needed. If only to force a common language.
Facebook insists they were not "breached" because many states require notification in the event of "security breaches of information involving personally identifiable information" . Each body of law defines "breach" differently. Most do not limit it to technical security malfunctions.
We already have plenty of regulation here that Facebook is unambiguously subject to; the question is whether the relevant authorities will actually follow through on that.
For what it's worth, it's been two days, and we're already seeing an FTC investigation and a Congressional investigation, so it's a little premature to conclude that existing regulation is insufficient.