Thank you very much.
You don't pass privacy laws to require good corporations to act responsibly. You pass laws because you have other companies that don't accept those responsibilities. The very first complaint investigation under the Alberta privacy commissioner's office involved three companies that had disposed of very detailed personal records containing tons of personal information, financial data, by putting those into the dumpster. The only way those companies were found out was when the Edmonton police force found the records, which were being sold to identity thieves, and it was able to go to the Privacy Commissioner and say they knew where those records came from.
You need to have a breach disclosure requirement that requires all companies to act responsibly. There is a great risk, even though insurance companies, I'm sure, will do the right thing. There are lots of other corporations and small businesses in Canada that might see the reputational effect going the other way. They would rather hide the fact that they had breached the law and not disclosed to anybody that their data had been stolen. So you could have your credit compromised, and unless the police did the investigation and found out the source, you might never know where the data breach had actually happened. I think there is a requirement to have some kind of disclosure mechanism built into the act and to have some kind of penalty there to encourage small businesses to actually obey the law.