It took Target mere days to notify consumers that their personal information had been breached. Not fast enough? Well, it could have taken months before the incident was made public, thanks to state laws that vary the length of time in which companies must announce cyber hacks.

Forty-six states have laws requiring companies to make security breaches public, but many of those laws allow notification delays for investigations, which could take weeks or even months, the Chicago Tribute reports.

Florida, Wisconsin and Vermont laws give companies 45 days from the discovery of an intrusion to notify consumers, while California only asks that disclosures be made without reasonable delay – taking into account law enforcement needs and the time a company needs to restore integrity.

Target and fellow retailer Nieman Marcus announced security breaches compromised consumers’ personal information four and 10 days, respectively, after the incidents were discovered.

Failing to disclose breaches can result in penalties, but those also vary by state. Some states issue penalties for each attack, while others decide penalties by how many consumers were affected. Some states even allow consumers to file lawsuits against a company for unreasonable delays.

In 2011, the U.S. Securities and Exchange Commission issued guidelines that public companies must follow in connection with cyber breaches, including telling investors the attack occurred. However, those disclosures typically come in a company’s next filing, which could be months away, and tend to include only generic risk factors, the Chicago Tribune reports.

On Dec. 18, Target announced more than 40 million consumers were affected when its in-store credit and debit card processing system was compromised. That number more than doubled on Jan. 10 when Target announced the breach had possibly compromised 110 million consumers’ personal information. The incident is reported to have taken place between Nov. 27 and Dec. 15.

Target CEO Gregg Steinhafel told CNBC the company announced the breach four days after discovering the problem and that the breach was contained the day it was discovered.

“I found out on Sunday [Dec. 15],” recalled Steinhafel in the interview. “Sunday was really day one… That was the day we confirmed we had an issue, and so our number one priority was to do the right thing for the guests. It was about making our environment safe and secure.”

Since the announcement, Chairs for the Senate Commerce Committee and the Senate Consumer Protection Subcommittee have written to the retailer asking how a breach this large could occur.

On Jan. 10, upscale retailer Neiman Marcus announced hackers compromised credit and debit card information for an unknown number of consumers in mid-December. The company said the discovery was made by a forensics firm on Jan. 1.

Target and Nieman Marcus aren’t the only retailers to suffer hacks. Earlier this week a new report announced that three “well-known U.S. retailers” had credit card information compromised and that there might have been breaches earlier in 2013 that were not made public.

Laws let companies wait weeks, months to disclose data breeches [Chicago Tribune]

Want more consumer news? Visit our parent organization, Consumer Reports, for the latest on scams, recalls, and other consumer issues.