There are two purposes, in our view, of security breach notification. One is to give individuals the ability to take precautionary measures if it's the kind of situation in which they can. But the second and equally, if not more, important reason is to provide these incentives that I keep talking about on organizations to take those security measures in advance in order to prevent the security breach in the first place. The incentive there is that it's going to get out in the media and they're going to suffer reputational damage.
So I have some concerns with a regime that requires the organizations to report only to the Privacy Commissioner and not necessarily make it public. If you want to get that incentive in place, the information needs to be made public so that the media can decide whether it's newsworthy, and if so, report on it.