What Is “Reasonable” Notification After A Breach?

A growing number of states have laws that mandate timely notification after a data breach, but these laws are short on specifics. They say things like “without unreasonable delay.” In Colorado, one legislator wants to nail it down and make it 30 days – that is, if the breach is serious enough. How serious would that be? There would need to be, as this article from the Pew Charitable Trust Stateline blog renders it, “sufficient evidence personal information has been or is likely to be misused.” Of course that stricture itself leaves plenty of room for lawyerly argument, but the prospect of time limits, however defined, clearly has some industry groups nervous.