Yes, I think that is problematic. There is a strong incentive for organizations not to report security breaches. So the law, in order to be effective, needs to address that incentive, needs to provide a counter-incentive, and I think that counter-incentive has to be an objective standard that is low enough that they will be reporting all material breaches. That was the standard in previous iterations of this bill. I'm not sure why it's been changed in Bill S-4.
It's a big issue. There are two standards here. There's one for when the organization has to report the breach to the Privacy Commissioner, which is not necessarily public, and there's an issue over whether that should be made public or not, I suppose. The other is when they are required to report it to the affected individuals.
I think it makes sense to have a lower standard for reporting breaches to the Privacy Commissioner, and a higher standard for reporting to individuals. I'm not sure why the government has seen fit to apply the high standard to both. Security safeguards are a fundamental piece of this identity theft puzzle, and organizations play a huge role in this. By establishing an objective standard under which organizations have to report security breaches to the Privacy Commissioner, we will only then have any decent registry or inventory of security breaches, of ways in which organizations are not meeting the standard for protecting personal information.