Well, from observation over the years, I think it is the only thing that makes them sit up and take notice.
Their names are already public. We're dealing with a far different breed of companies from what existed when PIPEDA was adopted. Lawyers have said to me many times over the years, “I wish there were more sanctions”, or, when I started talking about sanctions, they say they are so happy we are doing that because their client—this could be an outside client at a law firm or the CEO of a company where they are an in-house lawyer—asks them to draw up all the regulatory risks and then asks, “What happens if I don't?”
When they get to privacy, they ask what happens if they fall off the Canadian privacy wagon. Well, I have to say, “Don't worry. There will be an investigation, and in the course of the investigation, you can promise to fix it”, and that's it. That's what the law says. If they promise to fix it and there's an agreement, I don't take them to Federal Court, so they say, “Okay, fine; put it at the bottom of the list.”
As a result, the lawyers who were advising their clients can't get their clients to pay attention to Canadian privacy law because the CEO asks, “What are my biggest risks?” If there's virtually no risk of infringing when you infringe a Canadian privacy law, you move on to other things. That includes data breach, as we were talking about earlier.