I think that’s a good question. Your suggestion is probably very interesting. I think that, in any case, an insurer will do that if there is a serious information breach. It is clear that it will have to make risk-based decisions, if only with the insurance regulator, for example. The superintendent of financial institutions monitors risk management. There are specific risk-management regulations that apply to insurers. At that point, the superintendent of financial institutions would have to be advised, if there is a dangerous breach, if there is a threat to the company’s reputation or a business risk. All these things must be revealed to the regulator.
On February 1st, 2007. See this statement in context.