Again, the speed with which the notification needs to happen is commensurate with the potential harm. If there's a significant risk of harm, you would expect that this notification should take place very quickly so that people can act to protect the information that may have been breached.
So for instance, in the example of potential credit card breaches, individuals might want to act quickly to cancel cards or further protect themselves. Again, the legislation is not prescriptive but it does say, “as soon as feasible”.