In January, the first news emerged about possible credit card breaches at East Coast and Midwest locations affiliated with Wendy's and its quick-serve restaurants chain.

Almost four months later, Wendy's issued an official acknowledgement, but through its first quarter financial report. The company confirmed malware on POS devices at fewer than 300 of the company's 5,500 franchised stores and none in any corporate-owned locations.

“While Wendy's has not yet fully completed its investigation into the breach, its preliminary data indicated the breach likely first started in the fall of 2015 and involved the installation of malware through compromised third-party vendors,” the report said. The fast food chain also revealed approximately 50 franchise restaurants with unrelated cybersecurity issues.

“The findings come as many credit unions and banks feeling card fraud pain because of the breach have been grumbling about the extent and duration of the breach,” Brian Krebs, who first disclosed the breach on his blog Krebs on Security, wrote. Multiple financial institutions said some breached locations were still leaking customer card data in early Spring.

In April, the $41.6 million New Castle, Penn.-based First Choice Federal Credit Union filed a breach-related class action lawsuit against Wendy's.

The lengthy time involved in the detection and notification process is not uncommon.

“Finding out about a breach and determining the scope, then looping in legal, PR and outside third-party mitigation parties simply takes a lot of time due to the hidden nature of the breach,” Stu Sjouwerman, founder and CEO of Clearwater, Fla.-based KnowBe4 said.

“According to the Verizon Data Breach Investigations Report, 66% of breaches took months, sometimes even years to detect,” John Peterson, vice president of enterprise products at Clifton, N.J.-based Comodo, said.

“Until consumers are more aware of and begin making noise about these delays, specific governmental intervention may not happen for some time,” Peterson added.

In April, the European Parliament approved General Data Protection Regulation rules, which applies to any business with customers in the European Union directly or online. The GDPR, set to begin in two years, requires organizations that experience a data breach to report it within 72 hours of the company becoming aware of the breach. Violating the rules could cost a firm as much as 4% of its worldwide revenue.

“The step taken by the European Union could be a model for our government to follow, allowing the cybersecurity community as a whole to get a better handle on threats. And the individual consumer will benefit as well,” Peterson said.

In the U.S., breach notification laws fall mostly to individual states. Forty-seven states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted legislation requiring private, governmental or educational entities to notify compromised individuals of data breaches.

Tennessee recently amended its law. Starting July 1, companies must notify Tennessee residents of data breaches immediately, defined as within 45 days of discovery, unless law enforcement requests a delay.

“The problem is that the U.S. favors business autonomy from the government. I do think [notification] legislation is possible, but not probable until 2020 when enough voters have felt these effects and other industries feel the losses,” Paul Kubler, digital forensics and cybersecurity examiner at New York-based LIFARS, said.