Your premise is quite right. I believe it characterizes our office. Because technology and society are moving so fast in relation to privacy and personal information, indeed we never know what's going to come at us.
Turning to Heartbleed, immediately when we heard about it, our technological analysis unit examined the issue, briefed me on it, and explained to me that in fact it was an Internet-wide issue that was probably not malicious, and that it was probably an honest mistake that created a vulnerability that data holders did not know about because no one knew about it. As well, as we now know, it was unfortunately exploited by some hackers.
What we see in front of us now is a situation in which the vulnerability of the Internet was exposed. More than the deficiencies of any data holder, it was the vulnerability of the Internet that was exposed.
We also saw that these vulnerabilities can be exploited with malicious intent either for personal gain or perhaps just for fun. Sadly, we see a lot of hacking just for fun.
At this point, we have no investigation related to Heartbleed, probably due to the fact that the only instance has been very quickly contained. I am speaking based only on the facts I know so far. I reserve my position on it in case I should get more information. But on the basis of what we know so far, there has been no management failing. It was a vulnerability in the Internet and what had to be done to contain it has been done.