Thank you, Mr. Chair.
Obviously my personal information hasn't been disclosed, because Mr. Tilson said “Who's he?”, so I should be pretty safe then. I'm safe.
You made a couple of comments on security breach disclosure, and also on the timeliness of reporting. I just want to follow up on a couple of those.
Just about a month or so ago we got a letter from a company that my wife had been working for in the U.S. It indicated that a computer with a lot of personal information from a number of employees had been stolen. The letter detailed in infinite steps what happened, roughly when they thought it had happened, and the detailed steps that we needed to take to protect ourselves. While it was traumatic being told that, we were still able to know what the actions were.
So my question to you is, with something like that in this large government bureaucracy, given your experience, how long would you say it would take to implement something like a breach disclosure requirement? It wouldn't seem to me to be that easy to implement.