Thank you, Chairman.
With respect to breach notification, our position is that there should be a risk-based approach to when notification should be made. In that regard, one looks at the circumstances of the particular breach to determine whether a breach has in fact occurred and whether the event requires notification. In doing that, certainly in the financial services industry, one notifies the Privacy Commissioner; one also notifies our financial regulators to bring them into the picture; and one looks at the particular circumstances of the information that may be exposed.
For example, you do a risk assessment. You determine whether that information can be accessed. If it's in a disk and it's encrypted in such a way that your forensic consultants tell you that the risk is really, really minute, then in consultation with the Privacy Commissioner and in consultation with the financial regulator, you can determine, you can assess whether you should reach out or not.
So we believe that's an approach that works.