The Target data breach affecting 40 million credit and debit cards stems back to Nov. 27, two days before Black Friday. So why are we just hearing about it now, three weeks later?
Although it might seem like ages to affected consumers, in the scheme of data breaches, even three weeks is a pretty quick time frame to spot a breach and notify customers, said Will Pelgrin, president and chief executive of the Center for Internet Security. “No matter how quickly an entity notifies you, it will never be fast enough for an individual that’s impacted,” he said.
It’s unclear when, exactly, Target learned of the breach. The company has simply said, “We began investigating the incident as soon as we learned of it.”
Target didn’t immediately return requests for comment on this story.
Fraud and privacy experts say there’s a typical process retailers follow when customers’ financial information is compromised. “It’s a pretty serious thing to not follow requirements on that, which is to report it as soon as possible,” said Brian Riley, a senior research director at Tower Group. “Any time there’s a breach, they have to report it.”
(Read more: Shop at Target? Data breach may hurt holiday sales)
State law determines how quickly a company must notify affected consumers of the breach.
“Forty-six out of the 50 states have a data breach notice law on the books,” said Beth Givens, director of the Privacy Rights Clearinghouse. “Even for those four states that don’t have it, the best practice is to provide notice.”
The problem, she said, is that most of those laws don’t set a firm timeline. “Most laws use wishy-washy words like ‘reasonable’ time frame,” she said. Retailers could use that vagueness to their advantage, potentially holding off on alerting consumers until there’s good news with the bad: Yes, there was a breach, but we know how it happened and have new protections in place.
“No matter how quickly an entity notifies you, it will never be fast enough for an individual that’s impacted.”-Will Pelgrin, president and chief executive of the Center for Internet Security.
-Will Pelgrin, president and chief executive of the Center for Internet Security.
Some laws also allow for a delay in notification at the request of law enforcement—which may want to keep the incident under wraps while an investigation is ongoing to better pursue the criminals.
It’s not just local law enforcement, either. The Secret Service, the Treasury Department’s law enforcement agency, has handled most such fraud cases since the mid-1980s, Riley said.
Brian Leary, a spokesman for the Secret Service, confirmed that the agency is investigating the Target data breach. He declined to comment further, citing the ongoing investigation. Leary also declined to say when the Secret Service was notified of the breach.
Of course, varying laws can also make it difficult for large retailers with locations in pretty much every state to be compliant, said Pelgrin. Each state has different requirements on what kind of breaches must be reported, which state agencies must be notified, and which steps taken.
“That alone is a very difficult process, which adds to the timeliness,” Pelgrin said. Plus, it’s happening at the same time a retailer is working with law enforcement and cybersecurity experts to determine the extent of the breach and remedy it.
In Target’s case, experts say it’s unclear whether state compliance or the Secret Service investigation delayed notification. But media attention may have pushed the retailer to make an announcement earlier. As NBC reported Thursday, first reports of the breach came from the blog Krebs on Security, with Target’s announcement following.
Given the ability for companies to lag on notification, consumers’ best recourse as breaches become more common is to monitor their accounts regularly, rather than wait for monthly statements, Givens said.
Shoppers should also reassess paying with debit cards, which have fewer protections compared to credit cards in the instance of fraud.
Pelgrin advises consumers to alert their banks of potential fraud when they see notice of a breach in the media involving a retailer where they have shopped. Don’t wait for the retailer to reach out directly, which may take even a few days longer, he said.
According to the Privacy Rights Clearinghouse, 621,955,664 records have been breached in the U.S. since state data breach notifications laws went into effect in 2005. Those are only the ones that have been reported—experts think the figure is much larger.
—By CNBC’s Kelli B. Grant. Follow her on Twitter @kelligrant.