Getting back to the order-making capabilities, my understanding is that the only major order-making capability the commissioner has now is to identify a company that's breached something, which I think Mr. Lawford said she has done either not at all or once.
What happens if there's been an identity theft because of some action of a corporation or individual, and it's been established that the identity theft was caused by confidential information being released? And when you say order-making power, are there any suggestions on what other penalties there should be?
I'm thinking specifically of a very serious case where someone has stolen someone's identity and the most you can do is say, “Oh, the company breached it,” because that's all there is.