“No matter how quickly an entity notifies you, it will never be fast enough for an individual that’s impacted,” he said.
(Read more: Millions of Target customers’ payment card accounts hit by data breach)
It’s unclear when, exactly, Target learned of the breach. The company has simply said, “We began investigating the incident as soon as we learned of it.”
Target didn’t immediately return requests for comment on this story.
Fraud and privacy experts say there’s a typical process that retailers follow when customers’ financial information is compromised.
“It’s a pretty serious thing to not follow requirements on that, which is to report it as soon as possible,” said Brian Riley, a senior research director at CEB TowerGroup. “Anytime there’s a breach, they have to report it.”
(Read more: Shop at Target? Data breach may hurt holiday sales)
State law determines how quickly a company must notify affected consumers of the breach.
“Forty-six out of the 50 states have a data breach notice law on the books,” said Beth Givens, director of the Privacy Rights Clearinghouse. “Even for those four states that don’t have it, the best practice is to provide notice.”
Place of business: 2666 Sunliner Ln., Lake Havasu City, AZ, 86403 Call: 800-648-5940
The problem, she said, is that most of those laws don’t set a firm timeline. “Most laws use wishy-washy words like ‘reasonable’ time frame,” she said. Retailers could use that vagueness to their advantage, potentially holding off on alerting consumers until there’s good news with the bad: Yes, there was a breach, but we know how it happened and have new protections in place.