Towards the end of my presentation, I mentioned four or five points in that regard. But there is something else I would say.
In an ideal world, companies would be penalized for failing to report a security breach. The commissioner should have the power to issue orders and make them available to the public. When faced with the risk of a sullied reputation, companies—be they banks or telecom carriers—would be more motivated to report a security breach.
Of course, we could examine the bill in greater detail. For instance, is the real risk of significant harm test too high? Is it too subjective? Won't companies take the position that the risk is hard to measure in cases where data was simply lost, even if it is financial data?
How is it possible to measure the risk of misuse? That isn't always clear. Does the criterion give companies too much latitude? We could revisit that in greater detail, but it's better than nothing, to be sure.