I'm not sure that it's easy to implement security breach disclosure legislation, but it has been implemented effectively in some organizations in the U.S. that are probably equal or quite close in size to the federal government and are located in multiple jurisdictions with client bases that could rival, in theory, the number of people who might be affected by a security breach from a governmental perspective.
I don't think it's easy, but I think it's essential. In light of both the concerns around identity theft, as well as to create appropriate incentives for real safeguarding of that personal information, mandatory security breach disclosure legislation has proven by far to be the most effective tool in addressing both of those issues, based on our experience to date in the United States.
We have certainly seen quasi-public state organizations face those requirements in the U.S. And it's come up, particularly in a university context. Some very large universities--including the University of California, which is one of the largest sets of state universities in the United States--have faced precisely these kinds of issues, and have had to notify literally hundreds of thousands of students and alumni. It's a big obligation, but at the same time the potential costs to those individuals are great as well.