InformationWeek has an article about how the data breach notification laws often result in extended times for disclosure. The AIG breach was made public over three months after the theft of the equipment.

Companies can use considerable discretion in how fast, how broadly, and under what conditions they must disclose customer data breaches, since the laws vary widely from state to state. Businesses with customers in states with data-breach disclosure laws generally are required to notify customers as soon as possible after discovery of a data breach. But state laws don't set a specific time within which companies must comply, using language like "without unreasonable delay" and "the most expedient time possible." Most of the 33 state laws say law enforcement can delay customer notification if that would impede an investigation…