Earlier this week, virtual private network service provider NordVPN formally announced that one of its third-party data centers in Finland had been hacked back in March 2018. The confirmation arrived shortly after rumors began circulating online about the unauthorized intrusion, but more than a year after the actual incident itself.

Since personal data was not compromised during the hack, NordVPN was sparred the burden of having to comply with any one of a number of state breach notification laws dictating the timelines companies need to abide by for alerting impacted parties about a cyber intrusion.

However, while most of those states typically place those notification windows around 60 days or less, there are several factors that can impact if and when that clock starts running.

"I wouldn't say any of these deadlines get extended. The question is whether they get triggered or not," said Mark Schreiber, a partner with McDermott Will & Emery.

Successfully determining the answer to that question can on occasion be incredibly complicated —and time-consuming.

Michael Waters, a shareholder at Polsinelli, used the example of a company that finds malware on its system and is forced to confront a series of questions, such as what that malware does, how it got into the system and what else the person who put it there may have been able to access.

"Oftentimes just because you know that there's been some sort of data incident doesn't mean that you know that a 'breach' [has occurred]," Waters said.

Per Schreiber, some states do allot organizations the time to perform the necessary forensics to determine the nature of the cyber intrusion that occurs.

For the company's legal team or counsel, that typically means working their way through a series of long flow charts to determine what state breach laws may or may not have been triggered.

While that process usually begins immediately, the time it requires is difficult to quantify since forensic results emerging in parallel can often change the answer. "There's not a single bright line to how long the process takes," Schreiber said.

Still, organizations shouldn't be tempted to use that process to indefinitely postpone the notification process. Waters indicated that states are typically not prone to viewing ignorance as bliss.

"They will often ask questions about when did the incident occur, when did you become aware that there was a breach and other timeline items. So it is important that the organization address these things promptly," Waters said.

But if a company like NordVPN finds itself without any legal obligation to disclose the breach, why come forward at all?

Schreiber indicated there can sometimes be strategic reasons for companies to come forward of their own volition, whether it's because news has started to leak indirectly or they simply want to be proactive.

"I haven't seen too many voluntary notifications, but sometimes it happens," he said.

Waters, on the other hand, pointed to data gray areas like usernames or passwords, which are only considered personal information under the auspices of some states. Some may consider it to be their fiduciary or moral obligation to let people know those items may have been compromised.

"A lot of time the calculus is going to be around, what is the impact going to be to individuals if we don't provide notice?" Waters said.