Organizations take an average of 194 days to discover data breaches and fewer than 10% would meet California's new 30-day notification deadline, leaving consumers exposed for months without knowledge

The global average time to identify a data breach is 194 days, with an additional 60 days required for containment, creating a total breach lifecycle of approximately 254 days during which attackers have unfettered access to stolen data. Healthcare organizations are the worst offenders, requiring an average of 279 days to identify breaches. Despite legal requirements, the most common notification window is 91-180 days after discovery, and fewer than 10% of breached organizations would meet California's new 30-day notification standard under SB 446. Why it matters: consumers whose data has been stolen go an average of 6-9 months without knowing they are at risk, so they cannot freeze credit, change passwords, or take protective action during the period when their data is most actively being exploited, so identity theft and fraud accelerate during the notification gap, so the average breach now costs $4.44 million globally and $10.22 million in the U.S., so these costs are ultimately passed to consumers through higher prices and reduced services. The structural root cause is that most U.S. states have vague notification requirements like 'without unreasonable delay' with no hard deadlines, and even states with specific timelines (California's 30 days, GDPR's 72 hours) lack enforcement mechanisms strong enough to compel faster detection investment, while organizations underinvest in breach detection because the financial consequences of delayed notification are externalized onto consumers.