A decade of lawmaking by states to ensure American consumers are told when their data has been hacked still lets companies such as Target Corp. wait weeks or even months to disclose security breaches.
Forty-six of the 50 states have passed laws requiring disclosure, starting with California in 2002, but the laws vary in terms of when and how notice must be given, and most states allow for delays to investigate the intrusion.
Calls for federal action, including by the U.S. Federal Trade Commission, have gone unheeded by Congress. And guidelines to safeguard investors in public companies also do not give clear guidance on timing and do not require disclosures that would compromise a company's cyber security.
Consumer advocates have criticized Target, where data from 40 million credit and debit cards and 70 million other records containing customer information was stolen, for delaying disclosure in order to maintain sales over the holidays.
State attorneys general are probing the breach. Target says it acted quickly after taking defensive action.
"It's a judgment call," said Joseph DeMarco, a former head of the cyber crime unit at the U.S. attorney's office in Manhattan. "A breach investigation could take weeks or months before you know enough to have a legal obligation to disclose."
Target, the third-largest U.S. retailer, said on Dec. 19 that hackers had stolen data from up to 40 million credit and debit cards of shoppers who visited its stores between Nov. 27 and Dec. 15.
CEO Gregg Steinhafel said Target made its announcement four days after it "confirmed that we had an issue." The retailer has not said when it first learned of the break-in.
Then, on Jan. 10, the company said the breach was bigger than initially thought: Hackers also stole personal information of 70 million customers.
Another retailer, Neiman Marcus, said last Friday it was warned about a possible breach in mid-December and that an outside forensics firm confirmed the intrusion Jan. 1.
Both the Target and Neiman Marcus breaches were first revealed publicly by an independent blogger.
In addition, three other retailers suffered breaches during the holiday shopping season that have yet to be publicly disclosed, according to sources familiar with the attacks.
Only a handful of states require notice by a specific deadline. Florida, Vermont and Wisconsin, for example, give entities 45 days from the date of discovery, but even those states allow exceptions.
Jamie Court, president of Los Angeles-based public interest group Consumer Watchdog, said the timing of the Target and Neiman Marcus announcements raises questions about whether the retailers wrongly delayed telling consumers so as not to hurt holiday sales.
Target spokeswoman Molly Snyder said the company acted as quickly as it could. "As soon as we confirmed the point of access to our system, closed it and eliminated it, we moved swiftly through the notification process," she said.
Ginger Reeder, a spokeswoman for Neiman Marcus, denied its disclosure timing was influenced by sales considerations.