Yes, and the lack of data is a problem not only in terms of the government being able to understand the problem, but also in terms of our capacity to undertake research and development for the purposes of finding security solutions.
As Mr. Dupont stated, not all organizations are the same. Some are using management or technological procedures, and some are more efficient than others. In order to be able to determine which ones are better and should become best practices, we need data that will confirm that the measures in question are appropriate.
Data is necessary for research and development, but it is also necessary for another risk management tool, which is insurance.
The insurance industry has been trying to get into the business of insuring Canadians for IT risk and risks like identify theft. But it's a bit of the chicken and the egg conundrum here because they don't have data so they can't evaluate the risk, they can't price the insurance premiums, and therefore they're not jumping into the business.
There are two ways of addressing the problem. One is laws that would force those who had been breached to release that information such that insurance companies and other industry-wide associations could gather that data to start offering insurance premiums. Second, as we've had in other sectors, when the private sector doesn't know how to make money, one option is for the government to start offering those services until enough data is provided and then they can farm out that insurance sector.
For example in Quebec, automobile insurance is a state-owned business. In many other parts of the country it has been privatized. The reason it was created at the beginning, in the sixties I believe, is that nobody from the private sector wanted to own that risk. So I think this is where the government can show leadership, not only in the law but also trying to jump start the process by offering this risk protection.