Following a breach, what is the BEST source to determine the maximum amount of time before customers must be notified that their personal information may have been compromised?

A. Industry standards
B. Information security policy
C. Incident response plan
D. Industry regulations