Software engineers straight out of college often make six-figure salaries, not counting equity compensation.Technologyread more
Representatives from the Chinese side say they think it likely that Chinese President Xi Jinping will attend the G-20 meeting later this month. But in order to reach a trade...China Economyread more
Wall Street, though, is clamoring for a rate cut, with an 85% chance of a move in July and a 61% probability of three reductions by year's end.The Fedread more
A company spokesperson said the outage was the result of a "an internal technology issue" and was not security related.Retailread more
Using MIT's living wage calculator, CNBC Make It mapped out the minimum amount a single parent must earn to meet their basic needs without relying on outside help in every...Earnread more
In the survey, 66% of Democratic primary voters say they'd be enthusiastic or comfortable about Biden as their nominee to take on President Trump in the 2020 election. Just...Politicsread more
You can save money by doing a quick check and unsubscribing from apps you no longer use.Technologyread more
The flattening of the yield curve is exuding a bad omen for the stock market if history is any guide.Marketsread more
Stratolaunch, the world's largest airplane, which flew once, is up for sale, sources familiar told CNBC.Investing in Spaceread more
Transparency is key… or is it? With the first-ever non-transparent, actively managed exchange-traded fund receiving approval from the SEC, "ETF Edge" goes straight to the...ETF Edgeread more
Mired in a crisis over its best-selling 737 Max plane, Boeing could hand the spotlight over to its rival Airbus at the Paris Air Show.Airlinesread more
The Target data breach affecting 40 million credit and debit cards stems back to Nov. 27, two days before Black Friday. So why are we just hearing about it now, three weeks later?
Although it might seem like ages to affected consumers, in the scheme of data breaches, even three weeks is a pretty quick time frame to spot a breach and notify customers, according to Will Pelgrin, president and CEO of the Center for Internet Security.
"No matter how quickly an entity notifies you, it will never be fast enough for an individual that's impacted," he said.
It's unclear when, exactly, Target learned of the breach. The company has simply said, "We began investigating the incident as soon as we learned of it."
Target didn't immediately return requests for comment on this story.
Fraud and privacy experts say there's a typical process that retailers follow when customers' financial information is compromised.
"It's a pretty serious thing to not follow requirements on that, which is to report it as soon as possible," said Brian Riley, a senior research director at CEB TowerGroup. "Anytime there's a breach, they have to report it."
(Read more: Shop at Target? Data breach may hurt holiday sales)
State law determines how quickly a company must notify affected consumers of the breach.
"Forty-six out of the 50 states have a data breach notice law on the books," said Beth Givens, director of the Privacy Rights Clearinghouse. "Even for those four states that don't have it, the best practice is to provide notice."
The problem, she said, is that most of those laws don't set a firm timeline. "Most laws use wishy-washy words like 'reasonable' time frame," she said. Retailers could use that vagueness to their advantage, potentially holding off on alerting consumers until there's good news with the bad: Yes, there was a breach, but we know how it happened and have new protections in place.
Some laws also allow for a delay in notification at the request of law enforcement—which may want to keep the incident under wraps while an investigation is ongoing to better pursue the criminals.
It's not just local law enforcement, either. The Secret Service, the Treasury Department's law enforcement agency, has handled most such fraud cases since the mid-1980s, Riley said.
Brian Leary, a spokesman for the Secret Service, confirmed that the agency is investigating the Target data breach. He declined to comment further, citing the ongoing investigation. Leary also declined to say when the Secret Service was notified of the breach.
Of course, varying laws can also make it difficult for large retailers with locations in pretty much every state to be compliant, said Pelgrin. Each state has different requirements on what kind of breaches must be reported, which state agencies must be notified, and which steps taken.
"That alone is a very difficult process, which adds to the timeliness," Pelgrin said. Plus, it's happening at the same time a retailer is working with law enforcement and cybersecurity experts to determine the extent of the breach and remedy it.
In Target's case, experts say it's unclear whether state compliance or the Secret Service investigation delayed notification. But media attention may have pushed the retailer to make an announcement earlier. As NBC reported Thursday, first reports of the breach came from the blog Krebs on Security, with Target's announcement following.
Given the ability for companies to lag on notification, consumers' best recourse as breaches become more common is to monitor their accounts regularly rather than wait for monthly statements, Givens said.
Shoppers should also reassess paying with debit cards, which have fewer protections compared with credit cards in the instance of fraud.
Pelgrin advises consumers to alert their banks of potential fraud when they see notice of a breach in the media involving a retailer where they have shopped. Don't wait for the retailer to reach out directly, which may take even a few days longer, he said.
According to the Privacy Rights Clearinghouse, 621,955,664 records have been breached in the U.S. since state data breach notifications laws went into effect in 2005. Those are only the ones that have been reported—experts think the figure is much larger.
—By CNBC's Kelli B. Grant. Follow her on Twitter .