Do you think it should be graded on how serious the breach was? For instance, I've heard that one of the credit card companies, which I won't mention for commercial interests, had over three million breaches or compromises that they haven't notified their clients about. But some of those may be a matter of pennies and they were quickly corrected. Would you try to gradate the severity of the incident as to what would have to be reported?
On November 27th, 2006. See this statement in context.