We think an agency should be appointed to be responsible for that. It should be done, first of all, by requiring organizations that encounter ID theft in their operations—and I know this would be an added burden on business—to keep track of identity theft incidents that their customers have actually suffered, or they have suffered, or that they've avoided and they know about, and to report those annually.
I think that's a way of getting a much better sense of the extent of the problem.