We were being pretty collegial.
The next issue is brief as well.
I notice that you identify duty to notify as a key concern in your brief. We dealt with that a lot during the review of PIPEDA, and the private sector came in with gnashing of teeth and rending of garments that this was an overwhelming inconvenience. It was impossible. We couldn't possibly tell people, just because we screwed up and lost their information or put it in a dumpster, or something. It would be unbelievable. So we ended up with a very soft recommendation on the duty to notify, leaving it quite mushy.
How far would you go? I notice that you say notice should be given if there's a breach, or even a potential breach.