I can address that first. I certainly agree with you, Mr. Martin, that we need to have some formal legal duty to notify built into the act. I think Canadians demand it, just to build trust in the electronic commerce world.
I don't necessarily recommend the U.S. approach; in that approach, most state laws are based upon the California model that was the first law. It's very binary, in the sense that if any one of certain specific elements is disclosed in an unencrypted form, you must notify.
I think David Loukidelis, who is watching this to see whether the model works or not, made the point when he was here that it could lead to tons of disclosure notices going out to people, and they become lost in the.... You get so many that you end up losing the impact.
I certainly think there needs to be a certain level of discretion given to business about when they notify, but it should be based upon objective standards, such as a reasonable person's standard, which is something on which the law is fairly clear. It's based, of course, upon the tort of negligence and the idea that reasonable persons must act in a prudent manner. It is something you could look at very objectively. I think the duty should be there so that if there is any breach whatsoever--not just of financial data, but of health information or anything else that is sensitive information--and a reasonable person would expect notification of it, then you must notify the public.