I appreciate that; that's helpful.
Moving on to the second thing, which I think there is some confusion on, there's been some discussion today about the whole notion of what “delete” means, what “deactivate” means. Deactivation does not mean deletion. For example, websites will ask you if you want to deactivate your account. A user might think they're deleting their account, but they're not. The information in the account still exists; it's just been deactivated. Some would say there are good reasons for keeping that information, because nobody else can start up an account that matches or mirrors the one you just deactivated. You would have two accounts that are the same. That might actually protect the interest of the particular consumer in certain cases, where nobody else can cyber squat. If the account were deleted, somebody could come in and easily do that.
For the most part, I understand the value in wanting some information deleted from a database. If I have information I don't want to have in the hands of somebody at a certain point, I think, realistically, I make an order or make a request of that particular organization to have that information deleted. I also understand the complexity of having multiple backups, whether they're static backups or dynamic backups. How do you go back to a static system and change it if you have to do a restore because you had a system crash? You're going to bring back information you might not be able to tag at certain checkpoints along the way in the recovery process.
This is a very complicated thing to do, not only from a legislative perspective but also from a technical perspective. Can you elaborate further on anything your organization has done, any counsel you can give the committee on what other jurisdictions may have been able to do to successfully satisfy some of these cases?