From Decipher:

Research from the R Street Institute in June tracked at least 24 existing cybersecurity incident and breach reporting policies (not including state, local, tribal and territorial reporting mandates) that showcased variations in the authoritative agencies receiving the reports, the scope of reporting, the definition of disclosure and the timeline to disclosure.

“You have to report the same information to a lot of different entities, and this isn’t even at the state level,” said Sofia Lesmes, senior research associate, Cybersecurity and Emerging Threats with the R Street Institute. “So you could hypothetically see some businesses or banks saying ‘well, I already reported to the government once, why do I have to now to three different banking institutions?’”