"Retailers Can Wait To Tell You Your Card Data Have Been Compromised"

MELISSA BLOCK, HOST:

This is ALL THINGS CONSIDERED from NPR News. I'm Melissa Block.

ROBERT SIEGEL, HOST:

And I'm Robert Siegel.

When a retailer's computers are hacked and consumer information is stolen, how fast should a company let its customers know? Well, hacking at Target and Neiman Marcus has thrown a spotlight on that question. Millions of credit card numbers were stolen from both companies. In the case of Neiman Marcus, the breach went back as far as July. The company says it didn't detect any trouble until mid-December, and it didn't tell customers until January 10th.

NPR's Laura Sydell reports that the law on this is murky.

LAURA SYDELL, BYLINE: You'd think that if your credit card info and all that other information you shared with a retailer got stolen, the business would let you know ASAP.

PETER GUFFIN: This is much more complex than what you might think.

SYDELL: Peter Guffin, an attorney who specializes in privacy and data security, says there's a patchwork quilt of laws.

GUFFIN: You've got 46 states - I believe, at last count - who actually have their own notions of data breach notification.

SYDELL: Guffin says the states vary about how much the retailer has to let you know about the breach, exactly when they have to tell you. Some states say companies don't have to alert consumers unless there is a real risk of harm. Guffin says the only place they tend to agree.

GUFFIN: Most states want you to be notifying affected individuals as expeditiously as reasonably possible.

SYDELL: But - and there is a but - consumer advocates point to a big exception to this rule that gives companies a lot of room. Jamie Court is with the advocacy group Consumer Watchdog.

JAMIE COURT: If there's a law enforcement investigation going on or if a disclosure about a data breach could impede a law enforcement investigation, then companies don't have to inform consumers of the breach immediately.

SYDELL: Court says companies can use an ongoing investigation as a reason to delay when they fear it will have a negative impact on their bottom-line. He's been suspicious that Target and Neiman Marcus may have delayed notifying customers about recent security breaches.

COURT: It happened during the Christmas buying season. And we just can't be sure until law enforcement tells us when the companies knew about the breach and whether they delayed the information getting to the American people.

SYDELL: In emails, spokespeople for Neiman Marcus and Target say they are confident that they are meeting all legal notification requirements.

Privacy and data security attorney Guffin says there are some good reasons companies don't send out notifications the minute they see signs of a security breach.

GUFFIN: You might discover today a so-called breach. But it's going to usually take a fair amount of time to do a proper investigation to figure out what happened.

SYDELL: However, Guffin admits there are powerful economic incentives to keep the breach quiet for as long as possible. A report by the Ponemon Institute, which does research on security issues, looked at the cost to companies that alerted customers quickly and those that didn't.

GUFFIN: Quick responders paid significantly more than companies that moved a little bit more deliberatively, in terms of their responding.

SYDELL: Guffin says factors like sending out more notifications than necessary, false alarms and harm to reputation raised the cost. Consumer advocates, like Jamie Court, are aiming to make the price of withholding information higher. He thinks it's too hard for consumers to sue companies for damages.

COURT: Your privacy doesn't have a monetary value and under almost every law that I know of there's no way to sue to make the company pay a price for not being forthcoming enough in a timely way.

SYDELL: Both Court and Guffin think the federal government should make one law governing notification to consumers of security breaches. Court and Guffin say the current patchwork just raises the cost and the aggravation for everyone.

Laura Sydell, NPR News.