‘The notices required under paragraphs A and B must be made as expediently as possible and without unreasonable delay, consistent with the legitimate needs of law enforcement pursuant to subsection 3 or with measures necessary to determine the scope of the security breach and restore the reasonable integrity, security and confidentiality of the data in the system. If there is no delay of notification due to law enforcement investigation pursuant to subsection 3, the notices must be made no more than 30 days after the person identified in paragraph A or B becomes aware of a breach of security and identifies its scope.’