Target Corp recently came under scrutiny over the fact that 40 million credit and debit cards and 70 million other records containing consumer information were stolen. The United States has spent a decade making laws to force companies to tell their consumers about such breaches. However Target Corp was able to wait weeks or even months to disclose these breaches of security.
Forty-six of the fifty U.S. states have passed laws that force companies to disclose security information to consumers. However, these laws vary in terms of when and how these notices to consumers must be given. Most states allows companies to delay release of said information to perform an investigation of the intrusion.
According to Joseph DeMarco, former head of the cybercrime unit at the U.S. Attorney’s office in Manhattan, “A breach investigation could take weeks or months before you know enough to have a legal obligation to disclose.”
Target is the third largest retailer in the United States. They said that hackers had stolen from 40 million credit and debit cards of shoppers who went to Targets between November 27th and December 15th. They soon realized that the breach was even bigger than they had thought, upwards of 70 million customers’ information had been stolen.
California has some of the strictest rules related to disclosure of hacks. However they still allow some head room. A company must disclose the information in, “the most expedient time possible and without unreasonable delay.” States like Florida, Vermont and Wisconsin give businesses 45 days from the date of discovery to reveal the information about the breach. Even so, a release of information can be delayed if they feel it will interfere with a police investigation.
Normally, a company discloses information in its quarterly or annual reports.
Measures are being taken to see if Target Corp’s delay to reveal this information was truly unreasonable. The attorney general’s spokesperson said, “One of the issues we look at in data breach investigations is the timeliness and adequacy of notification to appropriate government authorities and to consumers.”