WASHINGTON — It took Target a week to tell customers about a massive data breach that compromised the privacy of millions of shoppers during the holiday season. Neiman Marcus waited 10 days to tell customers after confirming last month that it had been the victim of a similar attack.
The delays have angered consumer advocates, but they are not unusual. When companies must notify consumers of breaches, how they notify them, and how much they disclose is governed by a dizzying mosaic of state laws.
At the federal level, the Securities and Exchange Commission has said companies should inform consumers in a timely manner — as long as doing so doesn’t interfere with law enforcement investigations. But there is no national law that compels anyone to disclose a data breach.
With law enforcement warning retailers that more attacks are likely soon, there is a push in Congress to develop a federal standard for how companies should handle breaches.
‘‘Today, consumers across the country aren’t uniformly protected, rather they’re subject to a patchwork of state rules and guidelines that are not effective enough in today’s national economy,’’ said Senator Tom Carper, Democrat of Delaware, who has cosponsored a bill with Senator Roy Blunt, a Missouri Republican, to provide a comprehensive national framework.
The bill would require companies to safeguard data, assess what harm a breach might do, notify federal agencies, and, when appropriate, notify consumers of attacks that affect more than 5,000 customers.
It’s just one of several competing bills that have been introduced this session, inspired by the recent retail hacks.
The retail industry, which has not endorsed a bill, said it supports a national standard because it would simplify procedures. Companies must now deal with a patchwork of laws in 46 states and the District of Columbia, Guam, Puerto Rico, and the Virgin Islands.
Maryland, for example, requires retailers to list contact information for the state attorney general when there is a breach of personal information. Massachusetts residents must be informed they can get a police report if they’re a victim of identity theft. Iowa requires businesses to suggest reporting suspected identity theft to law enforcement. Oregon mandates that companies be told to contact the Federal Trade Commission.
Few laws address specific timing. A handful of states say that retailers have 45 days to disclose a breach, though there are separate and more stringent rules for breaches of more sensitive information, such as health data. In many states, companies are exempted from reporting breaches if their data are encrypted and the leak did not include the decryption key.
‘‘It is an analytical feat to comply’’ with all the laws, said Lisa Sotto, a partner and head of the global privacy and cybersecurity practice at Hunton & Williams.
Having so many laws also means that customers can fall through the cracks, consumer advocates said.
‘‘It’s a national issue, and it demands a federal response,’’ said Delara Derahkshani, policy counsel for Consumers Union, the policy and action division of Consumer Reports. A strong federal law would provide much-needed protection to consumers, she said, particularly in Alabama, Kentucky, New Mexico, and South Dakota, which have no such laws.
Still, some security experts caution that a federal law would solve only part of the problem — and potentially give companies a way to ignore their security-standard problems.
‘‘The hackers and technology are going to move faster than any kind of standards that any well-intentioned, well-meaning bureaucrat can put together,’’ said Tom Ridge, former secretary of the Department of Homeland Security. ‘‘That may make you feel good, but I dare say it won’t go very far in making that company or your country more secure from cyberattacks.’’
Ridge, who has founded a security consulting firm with former presidential cybersecurity adviser Howard Schmidt, said deeper issues are at stake. Competing companies and the government must share more information on emerging threats to detect attacks earlier, he said. And companies, he added, must invest time and effort in detecting and reacting to attacks as they happen.
Carper said in a statement that his bill to institute a national notification law is not supposed to be a one-size-fits-all solution, but would provide a much-needed backdrop on which others could build.
‘‘It requires that these policies and procedures are appropriate to the sensitivity of the information the entity is collecting, as well as the size and complexity of the entity itself,’’ Carper said in the statement.
But security experts worry that too many standards could force companies to issue hurried disclosures before fully understanding the scope and impact of a breach.
‘‘We used to be able to have time to do an investigation before we ran out and scared millions of people,’’ Sotto said.
With the numbers of cyberattacks on the rise and gaining wider attention, businesses must act more quickly to placate angry customers, even in the absence of a law, consumer advocates said.
‘‘Folks aren’t going to use technology or engage in commerce if they can’t put their trust in it,’’ Derahkshani said. ‘‘It’s in everyone’s best interest for this problem to be addressed.’’