NEW YORK (Reuters) - A decade of lawmaking by U.S. states to ensure consumers are told when their data has been hacked still lets companies such as Target Corp wait weeks or even months to disclose security breaches.