With the frequency of data breaches these days, it may feel as if you're gambling every time you swipe your credit card or fill out a form giving a business your personal information.

If your information does get swiped by a hacker, it's not a sure bet that you'll be notified immediately.Ken Kasick of Lower Towamensing Township received a letter from Sands Casino Resort Bethlehem late last month alerting him that his information may have been exposed during a cyberattack last February."My question is why would it have taken that long to send out that letter?" he wondered, noting his son received a letter not long after the breach.He told me he's seen no fraudulent activity on his accounts, but he doesn't believe being notified 10 months after a data breach is acceptable.Other Sands Bethlehem patrons also received letters in December about the February breach.The letter Kasick received doesn't address the timing of it.Sands Bethlehem spokeswoman Julia Corwin said the investigation into the cyberattack is ongoing and additional customers have been identified recently as possibly being affected, so they're just getting letters now."If we find any suggestion that a customer's personal data may have been compromised, we're going to let them know," she said.I can understand that, but it raises another question, about why it would take that long to discover the full extent of the breach.Kasick, an occasional poker and slots player, wonders whether the solution would have been for the Sands to notify all of its patrons about the breach immediately after it happened, to alert them about the potential for problems.Consumers deserve to know about data breaches as soon as possible so they can take precautions such as monitoring their accounts, putting a fraud alert on their credit reports and canceling compromised credit cards.If you're wondering whether there's a law that requires notification, there is. But it doesn't say when you must be told.Pennsylvania's Breach of Personal Information Notification Act says only that "notice shall be made without unreasonable delay."Most other states, including New Jersey and New York, have similarly vague laws when it comes to notification. They use terms like "expedient," "expeditious" or "as soon as possible."A few states do set deadlines. Ohio, Florida, Vermont and Wisconsin require notice within 45 days. But they, along with other states including Pennsylvania, permit notice to be delayed if law enforcement agencies believe that would impede their investigation.State laws differ in other ways, too, such as when notification is required. Some states, including Pennsylvania, require it only if a hacker accesses unencrypted and unredacted data. Only some require breaches be reported to consumer protection authorities, too.The lack of continuity among state laws has prompted calls for a national data breach notification law.Last February, coincidentally only weeks after the cyberattack on the Sands, U.S. Attorney General Eric Holder asked Congress "to create a strong, national standard for quickly alerting consumers whose information may be compromised.""This would empower the American people to protect themselves if they are at risk of identity theft," Holder said. "It would enable law enforcement to better investigate these crimes and hold compromised entities accountable when they fail to keep sensitive information safe."A broad group of 16 trade associations wrote to Congress last year with the same request."We continue to believe that meaningful data breach notification legislation must establish a clear federal standard that preempts the patchwork of state laws in this area," said the letter from organizations including the National Retail Federation, Direct Marketing Association and American Advertising Federation.The letter said the differences in state laws "frustrate efficient and uniform breach notification to consumers."Federal legislation has been introduced but hasn't made it to a vote. Several bills died in Congress last year. Some proposed deadlines for providing notice, such as 30 or 60 days, but also allowed for delays at the request of investigators.Among those who agree a national law is needed is Sen. Pat Toomey, who drafted a bill in 2013.His proposal, though, wouldn't have been any stronger than Pennsylvania's law in regard to when customers should be told their information was exposed.Pennsylvania's data breach law does not require the attorney general's office to be notified about a breach, spokesman J.J. Abbott said. But that office can investigate whether a company had adequate protections in place to prevent a breach.Last week, the attorney general's office announced it reached a settlement with Zappos, an online retailer owned by Amazon and based in Las Vegas, that would strengthen the company's "accountability" following a data breach in 2012.According to the attorney general's office, the attacker was able to access sensitive data of millions of consumers nationwide.That prompted an investigation by authorities in several states, led by Connecticut. The attorney general there wrote to Zappos shortly after the breach seeking information to be shared with investigators in other states, including Pennsylvania, so they could "evaluate the adequacy of the efforts Zappos has made to protect consumers' sensitive information from improper access, as well as its actions in response to this breach."Distributed by Tribune Content Agency, LLC