In theory, stores must notify their shoppers about data theft
A decade of lawmaking by states to ensure customers are told when their data has been hacked still lets companies such as Target wait weeks or even months to disclose security breaches.
Forty-six of 50 U.S. states have passed laws requiring disclosure, but the laws vary in terms of when and how notice must be given, and most states allow for delays to investigate the intrusion.
Consumer advocates have criticized Target, where data from 40 million credit and debit cards and 70 million other records containing customer information were stolen.
State attorneys general are probing the breach, though Target says it acted quickly.
"It's a judgment call," said Joseph DeMarco, a former head of the cybercrime unit at the U.S. attorney's office in Manhattan. "A breach investigation could take weeks or months before you know enough to have a legal obligation to disclose."
Target said Dec. 19 that hackers had stolen data from up to 40 million credit and debit cards of shoppers who visited its stores between Nov. 27 and Dec. 15.
Chief Executive Gregg Steinhafel said Target made its announcement four days after it "confirmed that we had an issue." The retailer has not said when it first learned of the break-in.
Another retailer, Neiman Marcus, said last week that it was warned about a possible breach in mid-December and that an outside forensics firm confirmed the intrusion on Jan. 1.
Jamie Court, president of Consumer Watchdog, said the timing of the Target and Neiman Marcus announcements raise questions about whether the retailers wrongly delayed telling consumers. He called on state attorneys general to look into whether companies failed to disclose their breaches to maintain sales over the holidays.
One attorney said notification is not top priority for a company. "The first order of business regardless of any state law is to plug the hole, protect the user and then worry about reporting," said Albert Gidari, a lawyer who has helped companies deal with security breach investigations.
Only a handful of states require notice by a specific deadline. Florida, Vermont and Wisconsin, for example, give entities 45 days from the date of discovery. But even those states allow exceptions, such as when disclosure could hinder a police investigation.
Other laws are vague. In Connecticut, Maryland, Virginia and Illinois, there are no hard deadlines.
Susan Lyon-Hintze, another lawyer who works with victimized companies, said it was risky to disclose too early, which would tip off hackers to investigations. "That can actually lead to more harm for consumers in the long run," she said. "They'll shut down their operations and move onto the next company."
Target spokeswoman Molly Snyder said the company acted as quickly as it could. "As soon as we confirmed the point of access to our system, closed it and eliminated it, we moved swiftly through the notification process," Snyder said in an email. Neiman Marcus denied its disclosure timing was influenced by sales
Connecticut Attorney General George Jepsen, who is helping to lead a coalition of more than 30 states probing the Target attack and possibly others, may look into whether Target unreasonably delayed its announcement.
"One of the issues we look at in data breach investigations is the timeliness and adequacy of notification to appropriate government authorities and to consumers," said the attorney general's spokeswoman, Jaclyn Falkowski.
Penalties for failing to disclose breaches vary by state. Some have a maximum penalty for each attack and depend on how many people are affected. In Michigan, for example, fines can range up to $250 per failure and $750,000 per breach.