Target began notifying customers about a massive security breach that exposed debit and credit card information of many who shopped in its stores earlier in January. One email to a customer fittingly began with: "As you may have heard or read ..."
By the time Target sent this message, nearly a month had passed since the retailer confirmed the breach publicly. That admission was prompted by the findings of one Internet security writer and came four days after the security incident was said to have begun.
Some have criticized Target for waiting too long to disclose its security breach, suggesting the retailer may not have wanted to undermine the peak holiday shopping season. For better or worse though, Target's decision not to reveal the news immediately puts it in good company. Nieman Marcus also waited weeks to reveal a security breach that took place in the second half of last year, as have other businesses like Barnes & Noble.
See also: How to Check If Hackers Stole Your Data in Massive Target Breach
"It's a real balancing act," says Ted Julian, CMO at Co3 Systems, which provides software to businesses to help manage security breaches. He notes that businesses often don't want to jump the gun and reveal news about breaches before having all the details. "You don't want to issue an announcement in the morning and then have to do another in the evening that's completely contradictory."
On the other hand, if retailers wait too long, they may be heavily criticized for keeping customers in the dark. In essence, it's a lose-lose situation for the retailer.
Target, one can argue, has experienced the worst of both. It was criticized for waiting four days to disclose, but appears to have made that disclosure before knowing all the details. It has since revealed that the breach may have impacted tens of millions more consumers than it first realized, and that some debit card PIN numbers were stolen as well.
At the moment, there is no nationwide standard for how U.S. businesses must handle disclosing security breaches. Some 46 states and the District of Columbia have laws in place that require businesses to disclose, but according to Julian, "each state's regulations are slightly different [and] have different triggers." These laws may have set different thresholds for disclosure based on the number of customers that need to be impacted or the type of personal information that was exposed.
In one infamous example from the mid-2000s, ChoicePoint, a data aggregation company, notified 35,000 customers in California of a security breach because state law required it, but didn't immediately notify more than 100,000 additional customers from other states who did not require it at the time.
Behind the scenes, businesses take time to navigate various state laws and typically contact law enforcement to investigate the situation. Once they've done the latter, a law enforcement freeze may be requested, which buys the retailer more time before a breach needs to be disclosed with the goal of not compromising the investigation.
In the meantime, it may fall on the banks to break the news that a customer's credit or debit card has been compromised. This can create a possible point of tension between banking institutions, who have a natural interest in being quick to disclose, and businesses who may be motivated to wait.
"The retailer, while you'd want them to be the first in line, in the end they don't have any real stake in it," says Robert Siciliano, an identity theft analyst. The business's real job, he says, "is to tighten up their existing systems and eventually notify the consumer. It's the credit card issuer that ultimately issues [new cards]."
On Sunday, Reuters reported that other retailers in addition to Target and Nieman Marcus may have been breached during the holiday season, but the names haven't been disclosed.
It appears Americans will have to wait yet again to find out whether and how they're impacted.