Recent disclosures by the FDIC and Wendy's following breachincidents underscore the protracted nature of detection andpost-breach notifications. States in the U.S. and the EuropeanUnion hope to shorten that timeline.

Last month, the FDIC detected and moved to mitigate a breach of 44,000 customerrecords after an employee leaving the agency in Februaryinadvertently downloaded the data containing personallyidentifiable information to a removable media device.

Earlier this week the FDIC reported to Congress that fiveadditional major data-breach incidents occurred since Oct. 30. Inevery case, employees with legitimate data access left the agencyand inadvertently downloaded personal data. The agencyretroactively reported the breaches because the FDIC closed thecase before its Office of Inspector General defined them as majorincidents, which involves at least 10,000 records.

The NCUA has not had any reported similar incidents or PIIbreaches, according to Public Affairs Specialist JohnFairbanks.

In January, the first news emerged about possible credit card breaches at East Coast and Midwest locations affiliatedwith Wendy's and its quick-serve restaurants chain.

Almost four months later, Wendy's issued an officialacknowledgement, but through its first quarter financial report.The company confirmed malware on POS devices at fewer than 300 ofthe company's 5,500 franchised stores and none in anycorporate-owned locations.

“While Wendy's has not yet fully completed its investigationinto the breach, its preliminary data indicated the breach likelyfirst started in the fall of 2015 and involved the installation ofmalware through compromised third-party vendors,” the report said.The fast food chain also revealed approximately 50 franchiserestaurants with unrelated cybersecurity issues.

“The findings come as many credit unions and banks feeling cardfraud pain because of the breach have been grumbling about theextent and duration of the breach,” Brian Krebs, who firstdisclosed the breach on his blog Krebs on Security, wrote.Multiple financial institutions said some breached locations werestill leaking customer card data in early Spring.

In April, the $41.6 million New Castle, Penn.-based FirstChoice Federal Credit Union filed a breach-related class actionlawsuit against Wendy's.

The lengthy time involved in the detection and notificationprocess is not uncommon.

“Finding out about a breach and determining the scope, thenlooping in legal, PR and outside third-party mitigation partiessimply takes a lot of time due to the hidden nature of the breach,”Stu Sjouwerman, founder and CEO of Clearwater, Fla.-based KnowBe4said.

“According to the Verizon Data Breach Investigations Report, 66%of breaches took months, sometimes even years to detect,” JohnPeterson, vice president of enterprise products at Clifton,N.J.-based Comodo, said.

“Until consumers are more aware of and begin making noise aboutthese delays, specific governmental intervention may not happen forsome time,” Peterson added.

In April, the European Parliament approved General DataProtection Regulation rules, which applies to any business withcustomers in the European Union directly or online. The GDPR, setto begin in two years, requires organizations that experience adata breach to report it within 72 hours of the company becomingaware of the breach. Violating the rules could cost a firm as muchas 4% of its worldwide revenue.

“The step taken by the European Union could be a model for ourgovernment to follow, allowing the cybersecurity community as awhole to get a better handle on threats. And the individualconsumer will benefit as well,” Peterson said.

In the U.S., breach notification laws fall mostly to individualstates. Forty-seven states, the District of Columbia, Guam, PuertoRico and the Virgin Islands have enacted legislation requiringprivate, governmental or educational entities to notify compromisedindividuals of data breaches.

Tennessee recently amended its law. Starting July 1, companiesmust notify Tennessee residents of data breaches immediately,defined as within 45 days of discovery, unless law enforcementrequests a delay.

“The problem is that the U.S. favors business autonomy from thegovernment. I do think [notification] legislation is possible, butnot probable until 2020 when enough voters have felt these effectsand other industries feel the losses,” Paul Kubler, digitalforensics and cybersecurity examiner at New York-based LIFARS,said.