In effect, your making reporting of significant breaches compulsory is not going to change practice. You are going to look at these on a case-by-case basis. You will be working on an ongoing basis with the institution and you will be working with the private sector to figure out guidelines as to when it will actually be necessary to report a breach.
