The financial technology company started notifying investors on May 17 that their names, addresses, birthdates and Social Security numbers were publicly exposed online due to an internal flaw, but it said it found the vulnerability on March 4. All 50 states now have customer-notification rules pertaining to corporate data breaches, with time limits as short as 45 days in Ohio or 30 days in Florida.