Do you think it should be graded on how serious the breach was? For instance, I've heard that one of the credit card companies, which I won't mention for commercial interests, had over three million breaches or compromises that they haven't notified their clients about. But some of those may be a matter of pennies and they were quickly corrected. Would you try to gradate the severity of the incident as to what would have to be reported?
