Thank you.
I will come back to my wonderful question. There are some companies that are responsible enough, including those that deal with mutual funds. For the moment, legislation does not require that businesses notify clients. A friend of mine received this type of letter. I do not know if he has the same mutual funds as Mr. Wallace. In the letter, that I saw with my own eyes, this person was told that they simply wanted to let them know that they had more or less lost their personal information, but that the risk due to the loss was not very high.
Nothing is very clear. We are not aware of the consequences of the loss, nor of the theft of which they were a victim. People are not quite sure what to do either. Mr. Wallace decided to throw his notice into the garbage, but some people filed that information in their heads under worry and anguish.
Do you not believe, Ms. Stoddart, that the legislation should oblige all businesses to notify their clients, according to reasonable conditions? I know you put forward some proposals in your document. Let us presume that the consumer's financial security is at stake, that the risk is serious enough. I know that you have the necessary resources to identify such situations. Do you not believe that first and foremost, there should be a duty to notify the client? In this notice—and it would be a good idea to have that formula drafted by the people in your office—the risk that the consumer in question is facing could be clearly set out, along with the lost or stolen information. I think that the client should know that. It is not enough to tell him that a little problem has cropped up.
There should also be the possibility of some remedy. You mentioned that in Quebec, it is possible to launch a class action. The fact remains that the legislation we are discussing here was designed for the consumer who receives this kind of letter at home. When one considers a class action suit, it is not easy to know where to begin. The business should be responsible for specifying the type of remedy. It should also—and it was one of our witnesses that put forward this suggestion, which I found interesting—compensate in whole or in part the damages that were caused. How could that be done? By taking certain steps itself, for example by sending out the kind of fraud warning to businesses that collect credit information. Indeed, taking those kinds of steps themselves represents a lot of work.
In short, should businesses not have that duty?