It’s been a day since Yahoo confirmed a massive data breach, and still there are more questions than answers. We still don’t know who carried out the hack that compromised more than 500 million accounts, or precisely what the hackers obtained.
But the biggest question is about Yahoo itself. There is strong evidence Yahoo knew about the attack for well over a month, and possibly much longer. So why did it wait so long to warn everyone?
Instead of promptly telling everyone to change their password, Yahoo appears to have just sat on the information. The closest thing to an explanation from the company is that there is an “ongoing investigation.”
Whatever the cause, Yahoo’s foot-dragging may be more than poor judgment. It may also be illegal given laws in 47 states that require companies to alert consumers when they’ve been hacked.
The notice periods vary from place to place. Some states require companies to notify customers about data breaches within 30 or 45 days, while others use more general language like “as soon as expedient” and “without unreasonable delay.” In those states, the notice period may be shorter—a recent case pending in California is claiming that even two weeks may be too long, according to Aaron Tantleff, a lawyer with Foley and Lardner.
So how long after Yahoo learned of the hack did it warn consumers? We don’t know for sure. The company acknowledged in early August that it was looking into reports of Yahoo accounts for sale on the Internet. But the hack itself occurred in late 2014, so it’s also possible the company has known about the breach for much longer and just covered it up.
Get Data Sheet, Fortune’s technology newsletter
There is, however, one explanation that could justify Yahoo’s failure to promptly disclose the hack. According to the Tantleff, the state laws make allowance for law enforcement proceedings. This means it’s possible Yahoo informed the FBI about the hack, and the agency instructed the company to wait before going public with the news.
Update: A person close to the company, who did not want to be named, sent the following statement in response to a question about the delay.
Following a report earlier this summer (July 2016) of a hacker indicating that 280 million user credentials were for sale on the black market, we initiated an internal investigation and ultimate found no evidence to substantiate the hacker’s claims. After we completed that investigation, our internal security team continued to conduct a broader, deep dive review of our systems. In so doing, they identified evidence of the theft by a state-sponsored actor occurred in 2014.
This explanation appears to be plausible. If it’s accurate it wound not, however, necessarily mean Yahoo complied with the state notification laws.
You can read a Q&A about the Yahoo breach here. Fortune‘s Dan Primack also explains here why the breach could put Yahoo’s merger with Verizon in jeopardy. Finally, here are five ways a company can avoid being sued over a data breach—though it may be too late for Yahoo.
This story was updated at 1:25pm ET to include Yahoo’s response.
