Thank you, Mr. Chair.
I might be duplicating some of what my friends with the chamber said, but we believe it has to a risk-based approach. You have to look at whether you're dealing with an incident that has some materiality attached to it. I think you have to have some reasonable grounds to believe that the disclosure has in fact taken place. You're saying something went missing. Well, under what circumstances? Could it still be within the company somewhere and it hasn't gone out of the office? You have to make that determination.
And you have to look at whether there's a significant risk that the individuals whose information you're dealing with could suffer some harm from this. I think you do that by analyzing the sensitivity of the information, whether that information was encrypted and in what form, and by consulting with your regulators to ensure they're aware of the situation and to get some good advice from people who can look at this from perhaps a broader perspective than the company itself. You look at all those factors to determine whether notification should be made.
We discussed this morning that there are a number of guidelines being developed across the country. One of the advantages of not mandating very specific rules in this area is that you can develop guidelines that are similar, apply across the board across Canada, and retain that flexibility to deal with the variety of incidents you could have.
In your introduction to that question, you indicated there were different instances, different possible breaches, etc. They were all different in type, so I think you have to look at all those factors.