Craig Hoffman and Charlie Shih write:
One of the first questions companies ask us when we are hired to help them respond to a new security incident is how fast they have to notify if the investigation shows that a “breach” occurred. Except for a couple of states that require notification to occur no later than 45 days after discovery, there is not a bright-line, objective answer. Most state breach notification laws require notification to occur as soon as reasonably possible and without undue delay subject to some qualifications.
Read more on Data Privacy Monitor.