That's why I introduced my comments saying this is not necessarily an attack on anyone. I'm looking at the policy that you're recommending to the Privacy Commissioner--to notify only if there's a risk of fraudulent activity. Doesn't the release of any information allow for the possibility of identity theft or fraudulent activity? The police tell me that if a credit card is stolen, nothing may happen for a year.
On January 30th, 2007. See this statement in context.